Should I be concerned about reports that my master password can be stolen?
LastPass always has security as top of mind. We offer the following tips and clarifications:
- Strong antivirus software and Multifactor Authentication are the best line of defense against a man-in-the-middle (MitM) attack. LastPass business account admins can enforce the use of Multifactor Authentication through LastPass security policies.
- We strongly warn that you should not enable the "Remember my password" option. Enabling this significantly reduces your security to your LastPass account. LastPass business account admins can use a security policy that prevents the "Remember my password" option from being checked, rendering the entire possibility of the vulnerability null and void.
- LastPass is built with AES256+CBC with PBKDF2 rounds that are adjustable per user by doing the following:
- Click the active LastPass icon in your web browser toolbar.
- Select Open My Vault.
- Go to Account Settings in the left navigation.
- Under Security within the "Password Iterations" setting, make your desired changes (100100 is default and recommended at minimum).
- Click Save when finished.
- LastPass business admins can enforce a particular limit of iterations via security policy.
- If your computer is infected by a virus that can't be detected by antivirus software, there are other significant problems that you will need to address.