Local and Global Security Options
LastPass provides a safer online experience that helps protect your identity by allowing you to create unique, complex passwords for all of your Sites, in addition to securely storing this information using local encryption. This means that you only have to remember a single strong password, your LastPass Master Password.
However, LastPass knows that one size does not fit all when balancing security and ease of use, so we allow you to decide by providing a full range of security options. The default values chosen will certainly not satisfy everyone, and we strongly encourage you to review the settings in both your Web Browser Extension Preferences and your Account Settings ( Open my Vault > Account Settings) shortly after creating your account.
Topics in this article:
In order to be able to verify that you have access to the email address you use for your LastPass account, you are required to verify it at least once. Verifying your email address means that LastPass sends you an email that contains a link you must click on in order to verify that you have access to that email address. LastPass uses this as a preliminary means of verification, which is required initially when you set up your account, and must be done before using the following features:
- Automatically Log out when all browsers are closed – Specify when LastPass should log out of your session upon closing the web browser. If you would like LastPass to log off immediately after each session, check the box and set the value ‘0’ for minutes; when you relaunch the web browser, you will be asked to enter your Master Password. If you would like to extend the time between ending your browser session and logging out of LastPass, enter another value in the "Minutes" field. If the specific amount of time passes before you re-open the browser, you will be prompted for your Master Password. If you wish for LastPass to stay logged in upon browser close, leave the box unchecked. This setting is disabled by default.
- Automatically Log out after idle – If you frequently minimize your web browser or walk away from your computer, you may want LastPass to log off after being idle for a specific amount of time. For example, if more than one person shares a home computer, you may want LastPass to timeout after 10 minutes of inactivity (no keyboard or mouse movements) so that someone else sitting down to the computer will not have access to your Vault and account information. After the specified amount of time, the icon will turn gray, indicated that you are logged off. Click the icon to log in again. Leave this setting unchecked if you wish for LastPass to stay logged in between browser sessions. This setting is unchecked by default.
- Require Password Reprompt – If you want to protect a particular Site, Secure Note, or Form Fill Profile so that any access using the information stored in LastPass requires your Master Password, you can check the box to enable this option while accessing the Edit window for the entry. This provides very specified control of individual sites, such as a bank login, where you may want additional security. Please note reprompt is not as strong as logging off, we’d recommend utilizing the above logoff options to fully protect your data. Learn more.
- Clear Clipboard after use – LastPass is set to clear your clipboard after a default amount of time. If you’ve been copy/pasting your secure data into login fields or web forms, this ensures that your data cannot be compromised by being left on the clipboard. You must have the binary component installed for this option.
- Website Auto-Logoff – Access this option from Open my Vault > Account Settings > General > Security to control how long your session exists on the server, allowing you to automatically log in when using the Web Browser Extension. This assumes that your session does not get destroyed by methods such as explicitly logging out or closing the web browser when the "Automatically Log out when browser is closed" option is enabled.
- Bookmarklet Auto-Logoff – Similar to ‘Website auto-logoff timeout’ except applies to LastPass bookmarklets. This preference can also be managed from Open my Vault > Account Settings > General > Security.
- Re-prompt for Master Password – This setting controls if the Master Password must be entered when performing tasks that access sensitive information (i.e., access an Identity, access a Site's password, access a Site, access a Secure Note, access a Form Fill profile, and Log into a Site). You can update these settings from Open my Vault > Account Settings > General > Show Advanced Settings > Re-prompt for Master Password. Checking one of these boxes will apply the action to every Site, Secure Note, or Form Fill profile that you have. If you want more granular control, use the Require Password Reprompt method. Learn more.
- Destroy Sessions – If you leave your web browser or mobile session open and polling is enabled, you’ll be logged out of the other session. If your web browser or mobile session is closed, but you leave yourself logged into LastPass, this can also be helpful (e.g., your web browser is closed at work, and you log in from home with this setting enabled, you will be required to log in the next time you open up your web browser at work). You can enable this setting by going to Open my Vault > Account Settings > General > Show Advanced Settings > Destroy Sessions; the setting is disabled by default. You must have ‘polling’ enabled in the web browser extensions to be effective; you can verify that it is by going to LastPass icon > Preferences > Advanced. Please note, this feature also applies to mobile sessions.
- Password Alerts – This option sends an email notification to alert you if your LastPass account email address, Master Password, Site usernames or Site passwords have been changed in LastPass. You can manage these settings by going to Open my Vault > Account Settings > General > Show Advanced Settings > Password Alerts. Learn more.
LastPass also provides additional features for further layers of protection against keyloggers and other security threats, including: