Local and Global Security Options
LastPass provides a safer online experience that helps protect your identity by allowing you to create unique, complex passwords for all of your Sites, in addition to securely storing this information using local encryption. This means that you only have to remember a single strong password, your LastPass Master Password.
However, LastPass knows that one size does not fit all when balancing security and ease of use, so we allow you to decide by providing a full range of security options. The default values chosen will certainly not satisfy everyone, and we strongly encourage you to review the settings in both your Web Browser Extension Preferences and your Account Settings (Open my Vault > Account Settings) shortly after creating your account.
In order to be able to verify that you have access to the email address you use for your LastPass account, you are required to verify it at least once. Verifying your email address means that LastPass sends you an email that contains a link you must click on in order to verify that you have access to that email address. LastPass uses this as a preliminary means of verification, which is required initially when you set up your account, and must be done before using the following features:
Web browser extension Security options
Log out when all browsers are closed – Specify when LastPass should log out of your session upon closing all web browsers that are in session with LastPass. Check the box to enable this feature, and when you relaunch a web browser, you will be asked to enter your Master Password. If you want to stay logged in to LastPass upon browser close, leave the box unchecked. This setting is disabled by default.
Log out after this many minutes of inactivity – Specify the maximum amount of idle time (no keyboard and mouse activity on the machine at all, not just no activity on the browser where the extension is installed) that you want to have pass before LastPass automatically logs your account out of the active session for the web browser where the extension is installed. After the specified amount of time (in minutes), an inactive LastPass icon is displayed to indicate that you have been logged out. Please note that if any activity on the machine occurs before the specified logout time, the countdown to logout time will be reset. If you want to remain logged in to your LastPass account via the web browser extension regardless of idle time, leave this setting unchecked. This setting is disabled by default.
Require Password Reprompt – If you want to protect a particular Site, Secure Note, or Form Fill Profile so that any access using the information stored in LastPass requires your Master Password, you can check the box to enable this option while accessing the Edit window for the entry. This provides very specified control of individual sites, such as a bank login, where you may want additional security. Please note reprompt is not as strong as logging off, we’d recommend utilizing the above logoff options to fully protect your data. Learn more.
Clear Clipboard after use – LastPass is set to clear your clipboard after a default amount of time. If you’ve been copy/pasting your secure data into login fields or web forms, this ensures that your data cannot be compromised by being left on the clipboard. You must have the binary component installed for this option.
Global Security options
Website Auto-Logoff – Access this option from Open my Vault > Account Settings > General > Security to control how long your session exists on the server, allowing you to automatically log in when using the Web Browser Extension. This assumes that your session does not get destroyed by methods such as explicitly logging out or closing the web browser when the "Automatically Log out when browser is closed" option is enabled.
Bookmarklet Auto-Logoff – Similar to ‘Website auto-logoff timeout’ except applies to LastPass bookmarklets. This preference can also be managed from Open my Vault > Account Settings > General > Security.
Re-prompt for Master Password – This setting controls if the Master Password must be entered when performing tasks that access sensitive information (i.e., access an Identity, access a Site's password, access a Site, access a Secure Note, access a Form Fill profile, and Log into a Site). You can update these settings from Open my Vault > Account Settings > General > Show Advanced Settings > Re-prompt for Master Password. Checking one of these boxes will apply the action to every Site, Secure Note, or Form Fill profile that you have. If you want more granular control, use the Require Password Reprompt method. Learn more.
Destroy Sessions – If you leave your web browser or mobile session open and polling is enabled, you’ll be logged out of the other session. If your web browser or mobile session is closed, but you leave yourself logged into LastPass, this can also be helpful (e.g., your web browser is closed at work, and you log in from home with this setting enabled, you will be required to log in the next time you open up your web browser at work). You can enable this setting by going to Open my Vault > Account Settings > General > Show Advanced Settings > Destroy Sessions; the setting is disabled by default. You must have ‘polling’ enabled in the web browser extensions to be effective; you can verify that it is by going to LastPass icon > Preferences > Advanced. Please note, this feature also applies to mobile sessions.
Password Alerts – This option sends an email notification to alert you if your LastPass account email address, Master Password, Site usernames or Site passwords have been changed in LastPass. You can manage these settings by going to Open my Vault > Account Settings > General > Show Advanced Settings > Password Alerts. Learn more.
Additional Security options
LastPass also provides additional features for further layers of protection against keyloggers and other security threats, including: