Reset a User's Master Password (Super Admin)
LastPass admins can enable the "Super Admin - Master Password Reset" policy for their account to allow designated admins to reset a user's Master Password. Once enabled, new user accounts will be able to have their Master Passwords reset, and existing users who are actively logged in will need to log out and log back in via the LastPass web browser extension before the reset option will become available to the admin.
Topics in this article:
When using this feature, there is a 3-step technical process involved, as follows:
Step #1: Enable the "Super Admin- Master Password Reset" policy
When an admin enables the "Super Admin - Master Password Reset" policy, an asymmetric key pair (public/private) is generated for the administrator. The super admin's Public Asymmetric Key is sent to the LastPass cloud and stored. The super Admin’s Private Asymmetric Key is encrypted with the named super admin’s Symmetric Vault Encryption Key and sent to the LastPass cloud and stored.
Step #2: User login via the LastPass web browser extension activates the policy option
Next, a Key exchange occurs when the selected user (for which the Master Password reset should occur) logs in via the LastPass web browser extension (not the website). LastPass then downloads each super admin’s Public Asymmetric Encryption Key from the LastPass cloud. Each super admin’s Public Asymmetric Encryption Key is used to encrypt the selected user’s Symmetric Vault Encryption Key. The encrypted Symmetric Vault Encryption Key is then sent back to the LastPass cloud and stored (one for each super admin listed on the policy).
Step #3: Super admin resets the user's Master Password
When the super admin resets their selected user's Master Password, the following actions take place:
- The target user’s encrypted Vault and the user’s encrypted Symmetric Vault Encryption Key are downloaded to the super admin's local computer. The super admin also downloads their own encrypted Private Asymmetric Encryption Key from LastPass.
- The super admin then decrypts their Private Asymmetric Encryption Key using their Symmetric Vault Encryption Key, and uses this Private Symmetric Encryption Key to decrypt the user’s encrypted Symmetric Vault Encryption Key. The super admin can then decrypt the target user’s encrypted Vault using the user’s Symmetric Vault Encryption Key.
- Next, the super admin selects a new Master Password that is hashed (along with a salt of the target user’s username) to create a new Symmetric Vault Encryption Key for that user. The user’s new Symmetric Vault Encryption Key is encrypted with the super admin's Public Asymmetric Encryption Key and replaces the old data in the LastPass cloud. The target user’s newly encrypted Vault is also sent to LastPass to replace the original Vault.
- Log in and access the Admin Console at https://lastpass.com/company/#!/dashboard.
- Go to Settings > Policies > Add Policy > Super Admin - Master Password Reset.
- Click Edit Users, then add all admins to the list that you want to designate as super admins that can reset Master Passwords for users.
Note: All users you add to this list must be account administrators in order to be added.
- If desired, enter information in the Notes section about this policy.
- Click Save when finished.
You can force active users to log off so that the Master Password reset option will become available to you as follows:
- In the Admin Console, go to Users in the left menu.
- Check the box next to "Email" in the user pane to select all users, otherwise you can check the box(es) next to individual user(s).
- Click the More (...) hyperlink, then select Destroy all sessions for selected users.
- Click OK to confirm, and your selected users will be logged out of LastPass immediately.
Once the policy is enabled and the user you wish to reset has logged off, you can go through the process of resetting their Master Password. Please be aware that when you reset a user's Master Password, any linked personal LastPass account of the user will automatically become unlinked from their company LastPass account If desired, the user can link their personal account again.
- In the Admin Console, go to Users in the left menu.
- Click on the email address of the user, then click the More icon and select Super admin master password reset.
- When prompted, click OK.
- Enter your own Master Password, then click Submit.
- Enter a new password, then re-enter it to confirm. Optionally, you can click Change the user's email to also update their LastPass username. You can choose to uncheck the box to disable the "Force password change on next login" option, as it is enabled by default for security best practices.
- When finished, click Submit.
If you have been added as a super admin in your account's policies and not seeing the "Super admin master password reset" option for a user, it may mean that the user has not yet logged out of their active LastPass session. You can force the user to log off, then advise them to log back in to their account via the LastPass web browser extension (not the website). Once they have done so, you can refresh the User page in the Admin Console and try again.
If your LastPass Enterprise organization is using Active Directory Federation Services (AD FS) to provision new users, then the Master Password being used is the user's account password that is stored in their Active Directory. If a federated user's Master Password is reset, it will convert them to a non-federated user status upon reset, which is the only way to convert this user type to non-federated. In order to convert them back to a federated user, their account must be deleted then recreated again via the LastPass Active Directory Connector. For this reason, once the user's Master Password has been reset, it is required that the user logs in and exports their Vault prior to their account being deleted so that their LastPass data can be fully restored after they are recreated as a federated user once again.
To preserve the user's account data, do the following:
- Reset the user's Master Password.
- Once the user has logged in to their account, they must export their LastPass account data.
- When they confirm their account has been exported, you can then delete the user's account.
- The LastPass Active Directory Connector will detect them as a new user and provision them as a federated user.
- Once they log in to LastPass as a federated user (utilizing their current Active Directory credentials), they can import their LastPass account data to restore their Vault.