What is breach detection in LastPass?
LastPass currently offers breach detection that monitors employees’ email addresses/usernames for breaches. Once enabled by the “check for compromised user accounts” policy, LastPass will continuously check for breaches associated with the emails/ usernames in your employees’ Vaults.
LastPass partners with Enzoic (formerly known as PasswordPing) to offer breach detection. Enzoic manages a database of breached credentials, and once you turn breach detection on for your organization your employees’ emails/ usernames are continuously checked against this database. If Enzoic determines that any of their usernames have been compromised, LastPass relays this information to the user in the form of an email to the compromised account. They will be prompted to change the password for this account.
The following policies apply to the Security Dashboard:
- Check for compromised user accounts – When enabled, all usernames/email addresses (that are currently enabled to be monitored via dark web monitoring) are checked against the database of breached credentials on an ongoing basis.
- Disable PasswordPing checks – When enabled, this policy prohibits the checking of usernames/email addresses against the database of breached credentials.
- Show security challenge score – Automatically reports security scores to the user and admins. This policy is enabled by default.
Note: LastPass uses the industry-standard zxcvbn library to assist in calculating each password's strength. As a result, your individual passwords' strength and your security score for all of your passwords in your Vault may vary. Individual password strengths can be 0-25-50-75-100 percent (or a different value if the individual password is reused on multiple site password entries) while the security score can be anywhere between 0-100. Learn more about password strength and security score calculation.
For more information please see any of the following to manage policies: