Local and Global Security Options

LastPass provides a safer online experience that helps protect your identity by allowing you to create unique, complex passwords for all of your Sites, in addition to securely storing this information using local encryption. This means that you only have to remember a single strong password, your LastPass Master Password.

However, LastPass knows that one size does not fit all when balancing security and ease of use, so we allow you to decide by providing a full range of security options. The default values chosen will certainly not satisfy everyone, and we strongly encourage you to review the settings in both your Web Browser Extension Preferences and your Account Settings (Open my VaultAccount Settings) shortly after creating your account.

Email verification

In order to be able to verify that you have access to the email address you use for your LastPass account, you are required to verify it at least once. Verifying your email address means that LastPass sends you an email that contains a link you must click on in order to verify that you have access to that email address. LastPass uses this as a preliminary means of verification, which is required initially when you set up your account, and must be done before using the following features:

Web browser extension Security options

  • Automatically Log out when all browsers are closed – Specify when LastPass should log out of your session upon closing all web browsers that are in session with LastPass. Check the box to enable this feature, and when you relaunch a web browser, you will be asked to enter your Master Password. If you want to stay logged in to LastPass upon browser close, leave the box unchecked. This setting is disabled by default.

  • Automatically Log out after idle – Specify the maximum amount of idle time (no keyboard and mouse activity) that you want to have pass before LastPass automatically logs your account out of all active sessions across all web browsers. After the specified amount of time (in minutes), an inactive LastPass icon is displayed to indicate that you have been logged out. If you want to remain logged in to your LastPass account via the web browser extension regardless of idle time, leave this setting unchecked. This setting is disabled by default.

  • Require Password Reprompt – If you want to protect a particular Site, Secure Note, or Form Fill Profile so that any access using the information stored in LastPass requires your Master Password, you can check the box to enable this option while accessing the Edit window for the entry. This provides very specified control of individual sites, such as a bank login, where you may want additional security. Please note reprompt is not as strong as logging off, we’d recommend utilizing the above logoff options to fully protect your data. Learn more.

  • Clear Clipboard after use – LastPass is set to clear your clipboard after a default amount of time. If you’ve been copy/pasting your secure data into login fields or web forms, this ensures that your data cannot be compromised by being left on the clipboard. You must have the binary component installed for this option.

Global Security options

  • Website Auto-Logoff – Access this option from Open my VaultAccount SettingsGeneralSecurity to control how long your session exists on the server, allowing you to automatically log in when using the Web Browser Extension. This assumes that your session does not get destroyed by methods such as explicitly logging out or closing the web browser when the "Automatically Log out when browser is closed" option is enabled.

  • Bookmarklet Auto-Logoff – Similar to ‘Website auto-logoff timeout’ except applies to LastPass bookmarklets. This preference can also be managed from Open my VaultAccount SettingsGeneral > Security.

  • Re-prompt for Master Password – This setting controls if the Master Password must be entered when performing tasks that access sensitive information (i.e., access an Identity, access a Site's password, access a Site, access a Secure Note, access a Form Fill profile, and Log into a Site). You can update these settings from Open my VaultAccount SettingsGeneralShow Advanced Settings > Re-prompt for Master Password. Checking one of these boxes will apply the action to every Site, Secure Note, or Form Fill profile that you have. If you want more granular control, use the Require Password Reprompt method.  Learn more.

  • Destroy Sessions – If you leave your web browser or mobile session open and polling is enabled, you’ll be logged out of the other session. If your web browser or mobile session is closed, but you leave yourself logged into LastPass, this can also be helpful (e.g., your web browser is closed at work, and you log in from home with this setting enabled, you will be required to log in the next time you open up your web browser at work). You can enable this setting by going to Open my VaultAccount SettingsGeneralShow Advanced Settings > Destroy Sessions; the setting is disabled by default. You must have ‘polling’ enabled in the web browser extensions to be effective; you can verify that it is by going to LastPass icon PreferencesAdvanced. Please note, this feature also applies to mobile sessions.

  • Password Alerts – This option sends an email notification to alert you if your LastPass account email address, Master Password, Site usernames or Site passwords have been changed in LastPass. You can manage these settings by going to Open my VaultAccount SettingsGeneralShow Advanced Settings > Password Alerts. Learn more.

Additional Security options

LastPass also provides additional features for further layers of protection against keyloggers and other security threats, including: