LastPass Hack-Proof: How to Up Your Security Game Instantly
It has been a couple of months since LastPass suffered what is arguably the worst data breach to ever affect the password manager industry. The way the entire scenario was handled by the company, and the lack of transparency circling the aftermath of the attack resulted in many users switching to rival services.
If you are a regular reader, you may be aware about our stance towards LastPass. We don't recommend using it because of incidents in the past and how these were handled, and advise users to migrate to Bitwarden, KeePass or 1Password. However, the fact remains that there are still thousands of users who are still using LastPass. This article is meant to help those people who plan to continue using the service, you might as well take the time to ensure that your account is as secure as possible.
The first thing that you need to do is to use a strong, unique master password, I would reset the password to be extra careful after the data breach. The next step is to check whether 2-factor authentication (2FA) has been enabled for your account. It is also advisable to keep your registered email address safe with a strong password, and its own 2FA. Now that is pretty much what most people do to protect their account. There is one more thing that you should do that has been recommended by security experts, and something that we suggest Bitwarden users to do too.
Cloud-based password managers hash your data before uploading them to the servers, this process is called KDF, which stands for Key Derivation Function. The number of times the hashing is done is referred to as iterations. LastPass uses PBKDF2, and runs 100,100 rounds to hash your passwords. This is actually less than what the Open Web Application Security Project (OWASP) recommends. It should be set to 600,000. So here's how to do that.
Warning: Please note that changing the iteration count will log you out of your devices, apps and extensions, and you will need to reauthenticate them. You should take a backup of your vault data, by exporting the credentials from the Vault's Advanced Options > Export option. The process will re-encrypt your data, and the vault will load slower.
How to increase the server-side KDF iterations in LastPass
1. Login to your LastPass account at https://lastpass.com/
2. It should load your vault's page. Click on Account Settings in the side panel to the left.
3. A panel pops into view. Hit the Show Advanced Settings button. It will cause the pop-up to scroll down slightly.
4. Scroll further down the page till you see Password Iterations. It's set to 100100.
5. Click on the box, and change the value to 600000
6. Click the update button, and LastPass will prompt you to enter your master password.
LastPass will log you out of your account, and re-encrypt the data. You can now re-login to your account, and continue using it.
Note: If you have been using LastPass for a long time, chances are that your account could have a lower iteration count instead of 100100. That could be because LastPass never changed it for old users, or prompted them to, something which has been strongly criticized by security experts.