support.lastpass.com
Open in
urlscan Pro
35.158.127.53
Public Scan
Submitted URL: http://gsxlink.lastpass.com/ls/click?upn=u001.FUBDPXfVqIzF-2BJoXLl11HL42krzBa-2ByNtUrtqdFQpu769zDxzg-2BupY-2BI-2Bs6mR-2Bmcc-...
Effective URL: https://support.lastpass.com/s/document-item?language=en_US&bundleId=lastpass&topicId=LastPass%2Fsecurity-bulletin-recommende...
Submission: On September 18 via manual from TH — Scanned from DE
Effective URL: https://support.lastpass.com/s/document-item?language=en_US&bundleId=lastpass&topicId=LastPass%2Fsecurity-bulletin-recommende...
Submission: On September 18 via manual from TH — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
Loading
×Sorry to interrupt
CSS Error
Refresh
Support
Community
Service Status Approved
Contact Us
Log in to support
Toggle
TYPE YOUR QUESTION BELOW OR SIGN IN TO REACH A SUPPORT AGENT
* All
* Articles
* Cases
* Discussions
Home
LastPass Guide
Security Bulletin: Recommended Actions for LastPass Business Administrators
Loading the page
CONTENTS
Collapse All
Expand All
Get Started
LastPass Quick Start Guide
About LastPass
Service
What is LastPass and why should I use it?
What is the LastPass master password?
How is LastPass safe?
What makes LastPass secure?
Use the LastPass Compliance Center
Data Privacy Compliance (GDPR, CCPA)
HIPAA Compliance
LastPass Security Incident Summary
Security Bulletin: Recommended Actions for LastPass Business Administrators
Security Bulletin: Recommended Actions for Free, Premium, and Families Customers
What have we done to secure LastPass
Support
Use the LastPass Support Center
New LastPass Community experience
Having trouble logging in?
How do I contact LastPass Support?
What levels of customer support does LastPass offer?
Report a billing issue to LastPass
Report a bug or technical issue to LastPass
Create diagnostic logs in LastPass
Get console and network logs for LastPass in Chrome
Get console and network logs for LastPass in Firefox
Get network logs for LastPass in Safari
Get console and network logs for LastPass in Microsoft Edge
Get console and network logs for LastPass in Opera
Use the My Cases portal
I submitted a case but I'm not receiving any emails – what should I do?
Report a security issue to LastPass
Report a phishing email to LastPass
Is there a service outage for LastPass?
What happens if LastPass has an outage?
Login Verification
What is email verification?
Why is my device not recognized when I log in to LastPass?
How do I disable email verification for LastPass?
Verify your trusted device
Why am I seeing a message to check my inbox or review login info and try again
when logging in to LastPass?
Why didn't I get an email sent from LastPass?
Why does my verification link show as expired when I verify my location for
LastPass?
How does LastPass know if my master password was exposed?
Training
Free LastPass trainings for business accounts
Best practices for traveling with LastPass
Best practices for using spell check in a browser
Installation
Create an account
Install and log in to LastPass
Log in to your vault for LastPass
What's new in LastPass?
Access LastPass on a non-admin or locked down computer
System requirements for LastPass
Allowlisting and firewall configuration for LastPass
Manage automatic updates for the LastPass browser extension
Install the LastPass binary component
Uninstall LastPass
Is LastPass supported on Chromium-based Microsoft Edge?
Should I run the 32-bit or 64-bit Windows Installer for LastPass?
Account Recovery
Set Up
Set up all account recovery options for LastPass
Set up additional security options for LastPass
Set up biometrics and mobile account recovery on iOS for LastPass
Set up SMS account recovery for LastPass
Check if you have set up SMS account recovery for LastPass
Update your phone number for SMS account recovery for LastPass
Create a Recovery One Time Password to use during LastPass account recovery
Recover
Recover your lost master password for LastPass
Reset your master password using mobile account recovery on iOS for LastPass
Reset your master password using mobile account recovery on Android for LastPass
Reset your master password using a hint/reminder
Reset your master password using SMS account recovery for LastPass
Reset your master password using a Recovery One Time Password for LastPass
Revert to your previous master password
FAQs
How does account recovery work for LastPass?
About account recovery options in LastPass
LastPass account recovery has failed because my current browser didn't save
account recovery data on this computer
Why can't LastPass Support reset the master password for my account?
I am locked out of my email account and need to reset my master password, what
should I do?
What is a Recovery One Time Password in LastPass?
Account recovery and one-time password verification for error_recovery1
Account Settings
Master password settings
Change your master password
Manage master password reminder
Email settings
Change email address for LastPass
Manage your security email address for LastPass
Manage email notifications
Privacy settings
Manage privacy settings
Manage account history tracking
View LastPass account history
What other data does LastPass handle?
Account history
Site URLs
Protecting private information
Alert settings
Manage password alerts
Protect your data with your master password
Security settings
Local and global security options
Security options in the LastPass browser extension preferences
Global security options in Account Settings
About password iterations
Change your password iterations for LastPass
Restrict LastPass access to specific countries
Manage the allowance of Tor networks
All account settings
Manage Account Settings
Manage General preferences in Account Settings
Supported languages for LastPass
Change the default language for LastPass
Change language on the homepage
Change language in the vault and desktop apps
Change language in local vault, browser extension, and new Admin Console
Can I change my profile photo in LastPass?
Manage Passwordless Options in Account Settings
Enable multifactor authentication for LastPass
Which multifactor authentication options does LastPass support?
Manage Trusted Devices in Account Settings
Manage Mobile Devices in Account Settings
Manage access restriction for my mobile devices
Manage authorization of my mobile devices
Rename my mobile device's label/random identifier
Disallow a mobile device from accessing LastPass
Manage Never URLs in Account Settings
Manage Equivalent Domains in Account Settings
About Strict Equivalent Domain and Subdomain Settings
Why doesn't LastPass recognize my equivalent domain as a valid domain?
Manage strict equivalent subdomains
Manage URL Rules in Account Settings
Browser Extension
Get started with the LastPass browser extension
Enable the LastPass browser extension
Use the LastPass browser extension
Install and log in to the LastPass browser extension
LastPass browser extension icon states
Update the LastPass browser extension on Chrome to MV3
What is save and fill?
About more options in the LastPass in-field menu
What version of LastPass am I running, and how do I update?
LastPass for Safari Extension
Install and log in to the LastPass for Safari extension on Mac
LastPass for Safari extension icon states
Use the LastPass for Safari extension on Mac
Troubleshoot or uninstall the LastPass for Safari extension
Manage LastPass browser extension preferences
Change General preferences for the LastPass browser extension
Change Notifications preferences for the LastPass browser extension
Change HotKeys preferences for the LastPass browser extension
Change Advanced preferences for the LastPass browser extension
Change Icons preferences for the LastPass browser extension
Log in to sites using LastPass
Add a new site
Manage automatic logout
Why am I being asked for permission in Firefox to copy LastPass data to my
clipboard?
LastPass for Microsoft Edge Legacy (no longer supported)
LastPass for Internet Explorer 11 (no longer supported)
Why do I see "Managed by Company" for the LastPass browser extension?
Deploy the LastPass browser extensions across your company
Deploy the LastPass browser extensions in Microsoft Intune
Log out of LastPass
Pausing or disabling LastPass on a website from the in-field menu
Desktop Apps
About the LastPass for Windows Desktop application
Install and log in to the LastPass for Windows Desktop application
Manage items in the LastPass for Windows Desktop application
Use the LastPass for Windows Desktop application
Troubleshoot the LastPass Windows for Desktop application
About the LastPass Mac App
Install and log in to the LastPass Mac App
Use the LastPass Mac App vault
Log out or uninstall the LastPass Mac App
Mobile Apps
Use LastPass on a mobile device
LastPass app for iOS
Set up the LastPass app for iOS
Install and log in to the LastPass app for iOS
Set up Face ID for account recovery in the LastPass app for iOS
Set up Touch ID for account recovery in the LastPass app for iOS
Use LastPass on your Apple Watch
LastPass for iOS Autofill Overview
Use LastPass for autofill via the iOS Safari extension
Use LastPass for autofill via the LastPass app for iOS
LastPass for iOS Autofill FAQs
Use the LastPass app for iOS
Add and manage passwords in the LastPass app for iOS
Generate a secure password in the LastPass app for iOS
Add and manage secure notes in the LastPass app for iOS
Add or manage form fill items in the LastPass app for iOS
Use the LastPass app on an iPad
Manage the LastPass app for iOS
Use security tools in the LastPass app for iOS
Manage settings in the LastPass app for iOS
Troubleshooting the LastPass app for iOS
Get diagnostic logs for the LastPass app for iOS
What data is collected when I use the LastPass app for iOS?
How do I opt-out of trackers on my mobile device?
LastPass app for Android
Set up the LastPass app for Android
Install and log in to the LastPass app for Android
Set up biometrics and mobile account recovery on Android for LastPass
Use biometrics in the LastPass app for Android
Set up and use Face Unlock with LastPass on a Pixel mobile device
Enable and use autofill in the LastPass app for Android
Use the LastPass app for Android
Add and manage passwords in the LastPass app for Android
Generate a secure password in the LastPass app for Android
Add and manage secure notes in the LastPass app for Android
Add and manage form fill items in the LastPass app for Android
Use the Sharing Center in the LastPass app for Android
Manage the LastPass app for Android
Use security tools in the LastPass app for Android
Manage settings in the LastPass app for Android
Troubleshooting the LastPass app for Android
LastPass app for Android FAQs
Retrieve diagnostic logs from your Android device for LastPass
Why does the "Unlock with biometrics" feature for LastPass not work on my
Android device?
How do I resolve autofill issues for LastPass app on my Huawei mobile device?
Why do some of my apps crash when I have the Android App Fill function enabled?
Why am I only offered the Copy Username and Copy Password options when I try to
fill an app on Android?
Why does my phone remove permissions for the LastPass app?
Why is LastPass removing the Android in-app mobile browser?
General FAQs
Basic troubleshooting for LastPass (mobile)
I did not receive an SMS message from LastPass, what do I do?
How do I run the security challenge for LastPass on my mobile device?
How do I manage and organize my folders in the LastPass app?
Account Management
Unlock your LastPass account
Reset your LastPass account
Merge two LastPass accounts
Which LastPass account should I use?
How do I delete my LastPass account?
I know my master password – how do I delete my LastPass account?
I do not know my master password – how do I delete my account?
Account FAQs
What type of LastPass personal account do I have?
I started a LastPass "business" account with my personal account instead of my
work account, how do I fix this?
How do I migrate data between my LastPass accounts?
LastPass Free
LastPass Free FAQs
Changes to LastPass Free
What are device types?
What is my active device type, and how many switches do I have left?
How do I switch my active device type?
What happens after I switch my active device type 3 times?
What happens if I log in to LastPass Free on a non-active device type?
Is multifactor authentication affected by the changes to LastPass Free?
Is my linked personal account affected by the changes to LastPass Free?
How has customer support changed for LastPass Free users?
As a LastPass Free user, can I still export my vault data if I select Mobile as
my active device type?
LastPass Families
For Users
Get started as a LastPass Families user
Join a LastPass Families account
LastPass Families FAQs
For Family Owners and Managers
Get started with LastPass Families
Use the LastPass Families Manager Dashboard
Log in to the LastPass Families Manager Dashboard
Add a family member in LastPass Families
Remove a family member in LastPass Families
Add a Family Manager in LastPass Families
Transfer the ownership of a LastPass Families account
Leave LastPass Families
Leave a LastPass Families account (as a family member or Family Manager)
Delete a LastPass Families account (as a Family Owner)
What is the difference between leaving and deleting a LastPass Families account?
FAQs
How do I check which role I have in LastPass Families?
Can family members view or access my vault in LastPass Families?
LastPass Teams
For Users
Get started as a LastPass Teams user
For Admins
Get started with LastPass Teams
Manage your LastPass Teams Account
Access the LastPass Teams Admin Console
Add users to LastPass Teams
View and manage LastPass Teams user settings
Manage LastPass Teams policies
Manage LastPass Teams multifactor authentication options
Generate LastPass Teams reports
About deleting users from LastPass Teams
Manually terminate a user from LastPass Teams
Billing
Purchase
How much does LastPass cost?
Can I trial LastPass Business for free?
How do I sign up and activate a new LastPass Business account?
Upgrading to LastPass Premium
LastPass Premium FAQs
Upgrade to LastPass Premium
Upgrade to LastPass Premium from an iOS device
Upgrade to LastPass Premium from an Android device
Upgrade to LastPass Premium from your Mac
Upgrading from LastPass Premium to LastPass Families FAQs
How do I upgrade my LastPass Business account with an add-on?
Why would my billing period change?
Claiming your LastPass "Premium as a Perk" account
What if I encounter an issue when claiming my "LastPass Premium as a Perk"
account?
Why am I being charged sales tax or VAT/GST for LastPass?
LastPass legal entity and invoicing change FAQs
Does LastPass offer non-profit pricing?
Is the Refer-a-Friend referral program for LastPass still supported?
Why do I see a message that I cannot purchase LastPass?
Why am I getting an error when I try to purchase LastPass?
Why do I see the message "We're unable to process your purchase at this time"
when trying to purchase LastPass?
Why was my payment declined?
Print billing receipts for LastPass
Print billing receipts for a LastPass Premium or LastPass Free plan
Print billing receipts for a LastPass Families plan
Print billing receipts for a LastPass Teams or LastPass Business plan
How do I verify my email address to view my LastPass invoices?
How do I purchase more LastPass Business licenses?
Why can't I use PayPal to purchase LastPass?
How do I switch from LastPass Families to LastPass Premium?
Renewal
When does my LastPass plan renew?
Enable or cancel auto-renewal for LastPass
Manually renew LastPass Premium or LastPass Families plan
Update payment and billing information
About updating billing address information
How do I manually renew my LastPass Teams or LastPass Business account?
How do I reduce the number of LastPass licenses I want to renew?
Why am I seeing a message that my LastPass Business account has expired?
My LastPass Families plan has expired, what options do I have?
My LastPass Business plan is about to expire, what should I do?
My LastPass Teams or LastPass Business account has expired, what options do I
have?
Downgrade from a LastPass Teams or LastPass Business account
My LastPass Teams or LastPass Business trial has expired
My LastPass Teams or LastPass Business trial is still active
Cancel
Cancel LastPass Premium
How do I cancel my LastPass trial?
How do I refund a purchase for LastPass?
I was charged twice for LastPass, how do I get a refund?
Explore Features
Vault Management
Manage your vault
Use advanced options in your vault
Manage your vault identities
Create a vault identity
Edit a vault identity
Switch to another vault identity
Delete a vault identity
Why do I see a message that my selected identity no longer exists in LastPass?
Why can't I see sites from within a shared folder in an identity?
Passwords
Manage passwords
Add a password
Edit a password
Add Form Fields to a password using your vault
Add Form Fields to a password using the LastPass browser extension
Delete a password
Share a password
Notes
Manage notes
Add a new note
Edit or delete a note
Share notes with others
View changes in note history
About downloading attachments for notes
Form fill items
Manage form fill items
Add a new item manually
Edit or delete an item
View changes in item history
About adding attachments to items
About sharing items with others
How do I prevent fields from being filled automatically?
How do I prevent the in-field icon from appearing for specific items?
Create a custom item type
Vault Organization
Manage folders within your LastPass vault
Restore deleted items and folders
Multifactor Authentication
Supported Authenticators
FIDO2 authentication in LastPass
Use a FIDO2 authenticator for LastPass MFA
Enable attestation validation policy for FIDO2 authenticator for LastPass
Business users
Use the LastPass Authenticator app
Set up LastPass to use the LastPass Authenticator app
Step #1: Enable the LastPass Authenticator app in LastPass
Step #2: Enroll the LastPass Authenticator app
Step #3: Set up a backup authentication method for the LastPass Authenticator
app
Use the LastPass Authenticator app to access your LastPass vault
Use the Call Me feature for the LastPass Authenticator app
Disable the LastPass Authenticator app for my LastPass vault
Regenerate your QR code and reset key in the LastPass Authenticator app
Manage the LastPass Authenticator app
What are the Security Checkup items in the LastPass Authenticator app?
Set up push notifications for sites in the LastPass Authenticator app
Re-enable push notifications for a site using the LastPass Authenticator app
Manage your registered accounts in the LastPass Authenticator app
Add an account to the LastPass Authenticator app
Why am I getting a message, "Device not paired, unrecognized QR code" in the
LastPass Authenticator app?
Edit your accounts in the LastPass Authenticator app
Arrange your accounts in the LastPass Authenticator app
Manage groups in the LastPass Authenticator app
Create a group in the LastPass Authenticator app
Edit a group in the LastPass Authenticator app
Delete a group in the LastPass Authenticator app
View authentication history in the LastPass Authenticator app
Reset my biometrics for the LastPass Authenticator app
Move TOTP accounts in the LastPass Authenticator app to a new device or export
them to a file
Import TOTP accounts from a file or other authenticator app using a QR code to
the LastPass Authenticator app
Configure screen capture in the LastPass Authenticator app
Hide TOTPs when I open the LastPass Authenticator app
Change the display format of TOTP codes in the LastPass Authenticator app
View the secret key of my TOTP accounts in the LastPass Authenticator app
Enable dark mode in the LastPass Authenticator app
Become a beta tester of the LastPass Authenticator app
I don't have a LastPass account, how do I move the LastPass Authenticator app to
my new phone?
I have a LastPass account, how do I move the LastPass Authenticator app to a new
phone?
Enable cloud backup for the LastPass Authenticator app
Restore from cloud backup in the LastPass Authenticator app
Use the Microsoft Authenticator
Set up the Microsoft Authenticator on your mobile device
Enable the Microsoft Authenticator in LastPass
FAQs
View the QR code for the Google or Microsoft Authenticator app in LastPass
Regenerate a key for the Microsoft Authenticator in LastPass
Use the Google Authenticator
Set up the Google Authenticator on your mobile device
Enable the Google Authenticator in LastPass
FAQs
Regenerate a key for the Google Authenticator in LastPass
Google Authenticator does not work on my Android device, how do I fix it?
Migrate from Google Authenticator to Microsoft Authenticator as a user
Migrate from Google Authenticator to Microsoft Authenticator as an admin
Use YubiKey multifactor authentication
Enable YubiKey in LastPass
Use YubiKey to log in to LastPass
FAQs
Why is my YubiKey not lighting up when I use it?
Having trouble with YubiKey on your iOS device?
How do I use VIP YubiKey authentication?
Use SecureAuth Authentication
Step #1: Set up the SecureAuth Authenticate app
Step #2: Set up and configure SecureAuth in LastPass
Step #3: Use SecureAuth Authenticate to log in to LastPass
Use RSA SecurID Multifactor Authentication
Step #1: Set up the RSA SecurID integration with LastPass
Step #2: Set up and configure RSA SecurID in LastPass
Step #3: Use the RSA SecurID Authenticate app to log in to LastPass
Use Symantec VIP
Step #1: Enable multifactor authentication and add user Credential IDs (Admins)
Step #2: Set up and configure Symantec VIP in LastPass
Step #3: Use the Symantec VIP authenticator to log in to LastPass
Use Duo Security Authentication
Step #1: Set up and configure Duo Security authentication
Step #2: Log in to LastPass using Duo Security authentication
Use Windows Fingerprint Authentication
Use Smart Card Authentication
Use Toopher Authentication (not available for new users)
FAQs
Disable multifactor authentication as a user
I am locked out because I can't disable multifactor authentication for my
LastPass account
Managing users due to an MFA lockout as a LastPass admin
Step #1: Temporarily disable the policy for the locked out user
Step #2: Disable Multifactor for the locked out user
Step #3: Confirm that the user can log in and access their vault
Step #4: Re-enable the policy for the user
Step #5: Force the user to log out of all LastPass sessions to force Multifactor
Authentication setup again (optional)
I lost my phone! How do I disable multifactor authentication via email?
I'm locked out of LastPass because I can't disable the LastPass Authenticator,
what should I do?
Disable authentication for a new or lost device
How do I add more than one multifactor authentication option to use for
LastPass?
How do I select my default multifactor authentication option in LastPass?
Edit your LastPass MFA authentication method in LastPass
How do I log in to LastPass using different multifactor authentication options?
What are the best practices for using multifactor authentication in LastPass?
How do I disable offline access for multifactor authentication for LastPass?
Why do I see "No supported devices were found" when I try to set up Touch ID on
macOS for the Fingerprint multifactor authentication option in LastPass?
Why are my credentials filled before I am prompted for multifactor
authentication for LastPass?
How do I enable the LastPass Authenticator app for Facebook?
Why am I seeing "Multifactor authentication failed"?
How do I reset my authenticator app?
Manage Your Passwords
FAQs
Can I disable the need to accept single shared items?
I deleted an item from Favorites, why is it missing from my whole vault?
How do I view username, password, and note history for sites?
About the "Allow Recipient to View Password" feature for shared items in
LastPass
Generate secure passwords
Change site passwords
Create a TOTP for password items in your vault
Disable autofill for sites
View deleted items
Set up automatic logins
Require a master password re-prompt
Manage your favorites
Use the LastPass command line application
Additional Security Features
Use temporary (one-time) passwords
Generate temporary one-time passwords for LastPass
Log in to LastPass using a temporary one-time password
Clear your temporary one-time passwords for LastPass
What is the difference between a One Time Password and a Recovery One Time
Password?
Set up and manage emergency access
Step #1: Add a trusted contact for emergency access
Step #2: Trusted contact accepts or declines invitation
Step #3: Emergency access user requests access
Step #4: Approve or deny an emergency access request
Step #5 (optional): Revoke emergency access for a user
How is emergency access secure?
I can no longer see data from my emergency contact in my LastPass vault. What do
I do?
Set Up and Manage LastPass Credit Monitoring (no longer available)
Set Up and Manage LastPass Premium Credit Monitoring (no longer available)
About URL encryption
About URL encryption for admins
Import Data
Import passwords from other sources into LastPass
Import from another password manager
Import passwords from Bitwarden into LastPass
Import passwords from Dashlane into LastPass
Import passwords from KeePass into LastPass
Import passwords from Keeper into LastPass
Import passwords from 1Password into LastPass
Import stored data from RoboForm into LastPass
Import from your web browser's built-in password manager
Import passwords from Chrome into LastPass
Import passwords from Firefox into LastPass
Import passwords from Microsoft Edge into LastPass
Import passwords from Opera into LastPass
Import passwords from Safari into LastPass
Import using another method
Import stored data into LastPass using a generic CSV file
Import a generic CSV file that was exported from LastPass
Import a LastPass encrypted file that was exported from LastPass
Manually add data from another password manager to LastPass if export feature is
unavailable
Export Data
Export vault data from LastPass
Export vault data while logged in through the LastPass website
Export vault data from LastPass as a generic CSV file
Export vault data as a LastPass encrypted file
Export LastPass form fill items
Export Wi-Fi passwords from LastPass
Export on Windows XP and Windows Server 2003
Export on Windows Vista (or later) and Windows Server 2008
Export Wi-Fi passwords using the LastPass browser extension
How do I move my vault data to another LastPass account?
Move vault data as a LastPass Business user
Move vault data as an existing LastPass user
Sharing Center
Use the Sharing Center
Share an item
Share multiple items at once
View and accept a shared item
Revoke a shared item
Remove a shared item
Clone a shared item for editing
Manage shared folders
Create a shared folder
View shared folders
Stop downloading a shared folder
Why is my shared folder missing from my vault?
Manage shared folder items
About hidden passwords for items within shared folders
About user and group access for shared folders
Edit users and access for a shared folder
Invite users or groups to a shared folder
Grant users or groups access permissions for shared folders
Restrict user or group access for shared folders
Remove users or groups from a shared folder
Share folders with users outside your company account
Delete a shared folder
Security Dashboard
How do I use the Security Dashboard?
Security Dashboard and Dark Web Monitoring — Admin FAQs
Can I prevent my LastPass users from using the Security Dashboard or dark web
monitoring?
Security Score
What is the security score in my Security Dashboard?
Why does my password strength and security score change?
About excluding passwords from the security score calculation
For Admins
Manage the "Control security score calculation" policy for LastPass Business
users
For Users
Exclude a password from the security score calculation
Include a password in the security score calculation
View at-risk passwords in my LastPass vault
Change weak or reused passwords in my vault
Add a missing password in my vault
Disable password alerts for at-risk passwords
Dark Web Monitoring
What is dark web monitoring?
How do I enable dark web monitoring in LastPass?
How do I manage my dark web monitoring alerts?
How do I start monitoring individual email addresses for dark web monitoring?
How do I change passwords associated with compromised email addresses for dark
web monitoring?
How do I stop monitoring specific email addresses for dark web monitoring?
How do I add a new email address for dark web monitoring that is not in the
list?
Manage the dark web monitoring policy for LastPass Business users
Why am I being asked to share information with Enzoic?
Can I manually run a dark web monitoring scan?
Why are there duplicate entries of my email address in my dark web monitoring
list?
Passwordless Login for Vault
About passwordless login for LastPass
LastPass Authenticator App
Enable the LastPass Authenticator app for passwordless login
Use the LastPass Authenticator app for passwordless login
Manage devices using passwordless login
Disable passwordless login for vault
Use passwordless login when your device is offline
How do I fix my account settings conflict for passwordless login?
How do I manage passwordless login settings in the LastPass Authenticator app?
Desktop biometrics
Use desktop biometrics for passwordless login in LastPass
USB security key
Use a USB security key for passwordless login in LastPass
Passwordless Login for Mobile
About passwordless login for vault on mobile
Use passwordless login for vault on mobile
LastPass for Oculus
Passwordless login for vault on Oculus
Resolving Errors
Why has my LastPass extension disappeared or become corrupted?
Why am I getting an "Error: Invalid Response" message?
Why do I see a message, "Hmm...this is taking longer than usual" in LastPass?
Why do I get a message, "Device Pairing Failed. An unexpected error has
occurred" when pairing my mobile device?
Why do I see the message, "An error occurred while attempting to contact the
server. Please check your internet connection" in LastPass?
Why do I see a message, "A consistency check failed. Please logoff and try
again." in LastPass?
Why am I seeing, "Installation failed, error code 1603" when installing
LastPass?
Why do I see a "LastPass Security Warning" when I visit some websites?
Why am I seeing the message, "Error: Invalid JSON response" in LastPass?
Why am I seeing ERR_CLEARTXT_NOT_PERMITTED on my Android device?
"Please enter a valid username or one-time password" during account recovery
Invalid username
No Recovery One-Time Password was found
One Time Login is restricted by company policy (using a Recovery One-Time
Password is prohibited)
Why am I seeing an error, "We couldn't contact the server. Check your internet
connection and try again" then my LastPass session expires in Chrome?
Why am I seeing an error, "No private key. Cannot decrypt pending shares"
message?
Step #1: Remove yourself from any shared folders
Step #2: Unlink your personal account (applicable toLastPass Business accounts
only)
Step #3: Remove a specific user from all shared folders
Step #4: Confirm that you no longer have any shared folders listed
Step #5: Contact LastPass Support
Step #6: Share items again
Why am I seeing the message, "We've detected an insecure login form" when I
visit a site?
Why am I seeing "Failed. Check your internet connection as well as the date and
time on your device" when I attempt to create a secure note while offline?
Why do I see "LastPass could not write to your hard drive"?
Blocked connection when logging in to LastPass
FAQs and Troubleshooting
Basic troubleshooting for LastPass (desktop)
Login
Where is my LastPass vault data stored locally on my computer?
Can I log in to multiple LastPass accounts on the same computer?
Why is my session expiring immediately after I log in to LastPass?
Why am I being logged off immediately after logging in to LastPass?
Why do I see a message about enabling Sideloading for LastPass?
Why did my LastPass extension just warn me that I was reusing my master password
elsewhere?
I changed my master password, why can't I log in now?
I don't have a smartphone, how can I use multifactor authentication with
LastPass?
Vault
Why doesn't LastPass launch, save, update, or autofill my data for a site?
Why are my LastPass vault contents blank, missing, or replaced with special
characters?
How do I clear the local cache for my LastPass vault?
How do I refresh sites to force a sync of my LastPass vault data?
Force a sync of vault data using the LastPass browser extension
Force a sync of vault data using an iOS device
Force a sync of vault data using an Android device
Why are my sites not launching from the desktop app or my vault?
I just upgraded my LastPass plan but my vault is blank, what should I do?
How do I generate sharing keys for LastPass?
How do I remove the LastPass autofill icon from my login fields?
How do I print out my sites and secure notes for LastPass?
How does LastPass support accessibility?
What is "Allow access to file URLs" in Chrome?
Why aren't some sites working in my linked personal account?
Why are my imported passwords not auto-filling into sites?
Why do some of my vault items appear as being recently used when I have not
accessed them?
Why aren't sites being added to recently used in LastPass?
What is the difference between using your vault with the LastPass browser
extension installed and without?
Some of my passwords and vault items are missing! How do I get them back?
How do I permit offline access to my LastPass vault?
Enable offline access for your account
Enable offline access through the mobile app
Why do I see a lock icon for my stored passwords in my LastPass vault?
How do I move a sub-folder up a level in my vault?
Security
Help! I think my LastPass account has been compromised!
How do I view and manage my active LastPass sessions?
Why am I not being prompted for multifactor authentication?
Why am I being prompted for multifactor authentication when I set my device as
trusted?
Why does my browser indicate that LastPass has an invalid or expired security
certificate?
Since my LastPass vault is encrypted with my master password, why can my One
Time Passwords decrypt it?
How do I protect myself from phishing scams?
My Antivirus program has warned me that LastPass is a virus/trojan/suspicious,
should I be concerned?
Was LastPass at risk from the OpenSSL DROWN attack?
Can another browser extension or password manager capture data from LastPass?
How do I enable or disable my web browser's password manager?
How do I prevent LastPass from filling erroneous form fields?
How does LastPass handle brute force or dictionary attacks against my account?
Do you retain any information on former users of LastPass?
Should I be concerned about reports that my master password can be stolen?
Admin Tools
Get Started with LastPass Business
Overview of LastPass Business
Understanding user types
Families as a Benefit
LastPass Families as a Benefit – FAQs for Users
LastPass Families as a Benefit – FAQs for Admins
Claim your Families as a Benefit account
Link your LastPass Families as a Benefit account
Unlink your LastPass Families as a Benefit account
Link or unlink your personal account in LastPass
Link your personal account
Migrate data between your accounts
Unlink your personal account from within your company account
Unlink your company account from within your personal account
Policies involving linked personal accounts (LastPass Business only)
Why do I get a message that I can't link an account with another linked account
or LastPass Business account?
Enable multifactor authentication (admins)
Get started as a LastPass Business user
Join a LastPass business account as a new user
Join a LastPass business account as an existing user
Email templates for new LastPass Business users
Where can I view free Master Class trainings for LastPass Business accounts?
What type of LastPass "business" account do I have?
What has changed for the LastPass business plan packages?
What are the feature differences between the Advanced SSO and Advanced MFA
add-ons for LastPass Business?
Add and Manage LastPass Business Users
How to add LastPass Business users
Manually add LastPass Business users in the old Admin Console
Set up Welcome email templates for new users in LastPass
Set up Welcome email templates for existing users in LastPass
View and manage LastPass Business user settings in the old Admin Console
Terminate LastPass Business user accounts in the old Admin Console
Federated Login
FAQs
What is federated login for LastPass?
What are the limitations for LastPass users with federated login?
Which identity providers are supported for LastPass federated login?
Which LastPass "business" account types include federated login for LastPass?
Which LastPass features do not support federated login?
Why do I encounter a network error when activating federated login for LastPass
using Okta?
How do I migrate users from one federated login Identity Provider to another?
How do I convert an existing LastPass user to a federated (Microsoft Entra ID,
Okta, Google Workspace, PingOne, or OneLogin) user?
How do I convert an existing LastPass user to a federated (AD FS or
PingFederate) user?
How do I migrate from using AD FS or PingFederate to a cloud-based federated
login identity provider for LastPass?
How do I change my Okta federated integration from Implicit flow to
Authorization Code flow with PKCE?
How do I change my Microsoft Entra ID federated integration from implicit flow
to Authorization Code flow with PKCE?
How do I update my Microsoft Entra ID federated login integration to allow
logins from managed mobile devices?
What are federated statuses?
Rotate knowledge components for Federated Login
Rotate knowledge components for Microsoft Entra ID (formerly known as Azure AD)
Federated Login
Troubleshooting knowledge component rotation for Microsoft Entra ID (formerly
known as Azure AD) Federated Login
Rotate knowledge components for Okta Federated Login
Troubleshooting knowledge component rotation for Okta Federated Login
Rotate knowledge components for OneLogin Federated Login
Troubleshooting knowledge component rotation for OneLogin Federated Login
Recurring and forced vault re-encryption
How do I defederate and refederate users?
For Users
Federated login experience for LastPass Business users
Access LastPass using federated login
Step #1: Download and install LastPass
Step #2: Activate federated login for LastPass Business
Step #3: Verify your linked personal account (if applicable)
Step #4: Log in to LastPass
Log in to LastPass using the LastPass browser extension
Log in to LastPass using LastPass for Windows Desktop application
Log in to LastPass using the LastPass app for iOS or Android
Step #5: Start using LastPass
How do I activate federated login via Microsoft Entra ID, Okta, Google
Workspace, PingOne, or OneLogin as a brand new user?
How do I activate federated login via AD FS or PingFederate as a new user?
How do I activate federated login as an existing user that is newly converted?
How do I verify my linked personal account for federated login in LastPass?
How do I verify my linked personal account from a desktop?
How do I verify my linked personal account from a mobile device?
Why am I being prompted to enter my email address again for federated login on
the mobile app?
Why do I get an "Invalid password" error message when trying to log into
LastPass with a valid set of login credentials?
For Admins
Quick start guide for LastPass Business admins managing federated login
integrations
AD FS
Set up simplified federated login for LastPass using AD FS
Step #1: Ensure the required components checklist is complete
Step #2: Capture your Identity Provider URL and Identity Provider Public Key
Step #3: Configure your LastPass Business federated login settings
Step #4: Install the LastPass Active Directory Connector
Step #5: Register your company-wide key with LastPass
Step #6: Apply access control policy changes
Troubleshooting federated login for Active Directory Federation Services (AD FS)
Step #1: Check Windows updates and LastPass components versions
Step #2: Check your firewall settings
Step #3: Check your AD users' permissions
Step #4: Check that the AD FS plugin is installed and registered with the
correct custom attribute value
Step #5: Check the custom attribute configuration
Step #6: Check that the custom attribute is populated
Step #7: Check the AD FS server farm configuration (if applicable)
Known issues and additional troubleshooting for Federated Login for Active
Directory Federation Services (AD FS)
Set up federated login for LastPass using AD FS
Step #1: Ensure the required components checklist is complete in LastPass
Step #2: Capture your Identity Provider URL and Identity Provider Public Key in
LastPass
Step #3: Configure your LastPass Business federated login settings in LastPass
Step #4: Install the LastPass Active Directory Connector in LastPass
Step #5: Register your custom attribute with LastPass
Step #6: Apply access control policy changes in LastPass
How do I confirm that my custom attribute is listed in my Active Directory?
How do I upgrade the AD FS plugin for LastPass federated login?
Microsoft Entra ID
Set Up Federated Login for LastPass Using Microsoft Entra ID (formerly known as
Azure AD)
Step #1: Create a Provisioning Token and Capture the Connection URL in LastPass
Step #2: Configure the Provisioning App for LastPass in Microsoft Entra ID
How do I add the "active" user attribute in Microsoft Entra ID for LastPass
federated login?
Step #3: Configure the Login App for LastPass in Microsoft Entra ID
Step #4: Configure Federated Login Settings for Microsoft Entra ID in LastPass
Step #5: Add Users/Groups to the Provisioning and Login Apps in Microsoft Entra
ID
Okta
Set up Federated Login for LastPass using Okta without an authorization server
Step #1: Create a Provisioning Token
Step #2: Create the LastPass Provisioning App
Step #3: Enter the Provisioning Token and Connection URL into LastPass
Provisioning App
Step #4: Enable Provisioning to the LastPass Provisioning App
Step #5: Generate LastPassK1 in LastPass
Step #6: Create a Single-Page App for LastPass to Enable Login Using Okta
Step #7: Enable the Authorization Code Grant Type
Step #8: Add Custom Attribute to the LastPass Login App in Okta
Step #9: Set Up Okta Federated Login in LastPass with PKCE Flow
Step #10: Assign Users to the LastPass Provisioning App
Assign a Group to the LastPass Provisioning App
Assign a Person to the LastPass Provisioning App
Step #11: Assign Users to the Single-Page App
Assign a Group to the Single-Page App
Assign a Person to the Single-Page App
Set up Federated Login for LastPass using Okta SSO and active directory
Step #1: Create a Single-Page Application for LastPass to Enable Login with Okta
Step #2: Enable the Authorization Code Grant Type
Step #3: Add a Company-Wide Key as a Group Claim
Step #4: Enable CORS for LastPass
Step #5: Set Up Okta Federated Login in LastPass with PKCE Flow
Step #6: Provision Users to LastPass Using the LastPass AD Connector
Step #7: Assign the User to the Single-Page Application
Set Up Federated Login for LastPass Using Okta With an Authorization Server
Step #1: Generate a Provisioning Token
Step #2: Create the LastPass Provisioning App in Okta
Step #3: Enter the Provisioning Token and URL into the LastPass Provisioning App
in Okta
Step #4: Enable Provisioning to the LastPass Provisioning App in Okta
Step #5: Create and Configure an Authorization Server for LastPass
Step #6: Enable CORS for LastPass in Okta
Step #7: Create a Single-Page Application for LastPass to Enable Login Using
Okta
Step #8: Enable the Authorization Code Grant Type for Your Single-Page App
Step #9: Set Up Federated Login for Okta in LastPass with PKCE Enabled
Step #10: Assign the User to the LastPass Provisioning Application
Assign a Group to the LastPass Provisioning Application
Assign a Person to the LastPass Provisioning Application
Step #11: Assign the User to the Single-Page Application
Google Workspace
Set Up Federated Login for LastPass using Google Workspace
Step #1: Create Directory Service API
Step #2: Create Service Account
Step #3: Delegate domain-wide authority to your service account
Step #4: Integrate Directory in LastPass
Step #5: Configure OAuth consent screen in Google Workspace
Step #6: Configure OAuth Client ID in Google Workspace
Step #6.1: Configure OAuth Client ID for LastPass browser extension
Step #6.2: Configure OAuth Client ID for iOS
Step #6.3: Configure OAuth Client ID for Android
Step #6.4: Configure OAuth Client ID for LastPass Desktop
Step #7: Enable Federated Login in LastPass
Troubleshooting Federated Login for LastPass using Google Workspace
Checking audit logs for provisioning
FAQs for Federated Login for LastPass using Google Workspace
How do I manually sync users for federated login for LastPass using Google
Workspace?
How do I change the sync settings of a live Google Workspace integration?
OneLogin
Set Up Federated Login for LastPass Using OneLogin
Step #1: Generate a Provisioning Token and obtain the Connection URL in LastPass
Step #2: Add the LastPass Provisioning app in OneLogin
Step #3: Configure the LastPass Provisioning app and enable provisioning in
OneLogin
Step #4 (Optional): Configure group synchronization between OneLogin and
LastPass
Step #5: Create login apps for LastPass in OneLogin
Step #6: Add API for LastPass in OneLogin
Step #7: Set up OneLogin federated login in LastPass
FAQs for Federated Login for LastPass using OneLogin
How do I enable provisioning and federated login for users without a default
role using OneLogin?
How do I enable federated login for users provisioned via OneLogin?
PingOne
Set Up Federated Login for LastPass using PingOne
Step #1: Create a Provisioning Token and Capture the Connection URL for PingOne
in LastPass
Step #2: Configure the Provisioning App for LastPass in PingOne
Step #3: Configure the Login App for LastPass in PingOne
Step #4: Configure Federated Login Settings for PingOne in LastPass
PingFederate
Set Up Federated Login for LastPass using PingFederate
Step #1: Capture your Identity Provider URL and Identity Provider Public Key
Step #2: Configure Federated Login Settings for PingFederate in LastPass
Step #3: Install the LastPass Active Directory Connector
Step #4: Register your Company-wide key with LastPass
Step #5: Create a new Service Provider (SP) Connection
Active Directory Connector
Active Directory Connector FAQs
Set up the LastPass Active Directory Connector
Installing the LastPass Active Directory Connector
Configuring the LastPass Active Directory Connector
SCIM Provisioning
SCIM provisioning FAQs
What happens if I delete a provisioned user in LastPass?
What happens if I rename a provisioned user in Microsoft Entra ID (formerly
known as Azure AD) or Okta?
How do I remove a directory integration?
Microsoft Entra ID
Set up SCIM provisioning for LastPass using Microsoft Entra ID (formerly known
as Azure AD)
Step #1: Create a Provisioning Token and Capture the Connection URL
Step #2: Configure the Provisioning App in Microsoft Entra ID for LastPass
How do I configure an alternate email as login ID instead of the default UPN?
Step #3: Add Users/Groups to the Provisioning App in Microsoft Entra ID
SCIM provisioning FAQs for LastPass Business using Microsoft Entra ID Active
Directory
How do I deprovision users for LastPass in Microsoft Entra ID via SCIM?
How do I disable users for LastPass in Microsoft Entra ID via SCIM?
LastPass SCIM Provisioning using Microsoft Entra ID Troubleshooting
User provisioning failed because the user is already present in LastPass
User provisioning failed because the user is in a different company
User deprovisioning/provisioning attribute update failed
Microsoft Entra ID user creation conflict
Redundant accounts being created for all users
Okta
Set Up SCIM Provisioning for LastPass Using Okta
Step #1: Generate a Provisioning Token and Copy the Connection URL
Step #2: Create the LastPass Provisioning Application in Okta
Step #3: Enter the Provisioning Token and Connection URL into the LastPass
Provisioning App
Step #4: Enable Provisioning to the LastPass Provisioning Application in Okta
Step #5: Assign Users to the LastPass Provisioning Application
SCIM Provisioning FAQs for LastPass Business Using Okta
Google Workspace
Set Up SCIM Provisioning for LastPass Using Google Workspace
Step #1: Create a Directory Service API in Google Cloud Platform
Step #2: Create a Service Account in Google Cloud Platform
Step #3: Delegate domain-wide authority to your service account in Google Admin
Console
Step #4: Integrate Google Workspace Directory in LastPass
OneLogin
Set Up SCIM Provisioning for LastPass Business Using OneLogin
Step #1: Generate a Provisioning Token and Capture the Connection URL
Step #2: Create the LastPass Provisioning app in OneLogin
Step #3: Configure your LastPass Provisioning app and enable provisioning
Step #4 (Optional): Configure group syncing between OneLogin and LastPass
SCIM Provisioning FAQs for LastPass Business Using OneLogin
PingOne
Set up SCIM Provisioning for LastPass using PingOne
Step #1: Create a Provisioning Token and Capture the Connection URL for PingOne
Step #2: Configure the Provisioning App for LastPass
LastPass Business Admin Console
Access the LastPass Business old Admin Console
Access via direct URL
Access via the web browser extension
Access via the desktop website
Manage Your LastPass Company Profile
Add LastPass to Your Corporate Policies
Add and Manage LastPass Admin Policies in the old Admin Console
Generate LastPass Business reports in the old Admin Console
Add and Manage LastPass Business Groups in the old Admin Console
Manage Email Notifications for LastPass Business in the old Admin Console
What's New in LastPass Business?
Advanced Business Options
Advanced LastPass Admin Options
LastPass Admin Management of Global Equivalent Domains
LastPass Admin Management of Global Never and Global Only URLs in the old Admin
Console
LastPass Admin Management of Multifactor Authentication Options
How do I manage multifactor authentication options for LastPass Business in the
old Admin Console?
How do I disable multifactor authentication for LastPass Business users in the
old Admin Console?
About Multifactor Authentication for Active Directory Federation Services (AD
FS) in LastPass Business
Integrate Duo Security with my LastPass Business account
Regenerate key for Duo Security authentication
Integrate Symantec VIP with my LastPass Business account
Regenerate VIP certificate for Symantec VIP authenticator
Integrate SecureAuth with my LastPass Business account
Regenerate App ID and key for SecureAuth authentication
Integrate RSA SecurID with my LastPass Business account
Regenerate shared secret for RSA SecurID authentication
Reset MFA shared secrets for Google Authenticator, Microsoft Authenticator,
LastPass Authenticator
Actions for end users after MFA shared secrets are reset in LastPass
Required actions for Workstation MFA admins before resetting MFA shared secrets
LastPass Admin Management of Trusted Mobile Devices
Use the LastPass Provisioning API
Add new users via the LastPass API
Get shared folder data via the LastPass API
Get detailed shared folder data via the LastPass API
Apply batch changes to groups via the LastPass API
Get user data via the LastPass API
Delete users via the LastPass API
Update users via the LastPass API
Enable users via the LastPass API
Disable users via the LastPass API
Reinvite users via the LastPass API
Disable multifactor authentication for users via the LastPass API
Event reporting via the LastPass API
Reporting - expired master password via the LastPass API
Reporting - master password about to expire via the LastPass API
Send password reset email via the LastPass API
Update user email via the LastPass API
End user experience when forcing an email address change
Require master password change via the LastPass API
Destroy user sessions via the LastPass API
How do I reset my Enterprise API provisioning hash?
Use the LastPass Enterprise API Postman collection
Install the LastPass software using the old Admin Console
How do I manage my URL rules as a LastPass Business admin in the old Admin
Console?
How do I manage user roles in the old Admin Console?
How do I migrate a role to a custom admin level?
How do I add a new user role?
How do I apply a user role?
How do I edit an existing user role?
How do I delete a user role?
Business FAQs and Troubleshooting
Why am I getting a "Please contact your company administrator for help" error
message after I log in to LastPass?
What happens when my admin resets my master password?
Why don't I see any master password reset options for LastPass?
Why is the Remember Password option displayed when a policy is enforced to
disallow it?
Where is my Vault Data stored for LastPass Business?
What types of data does LastPass store?
Where is my data stored?
How does LastPass protect my data?
How can I request to move my Vault Data?
What is the process of migrating my data?
If I have linked my personal account, where is my data stored?
Why do I keep getting prompted to change my master password when I log in to
LastPass?
I am a super admin, why can't I reset a user's master password in LastPass?
If I change my company's domain, how do I make sure my LastPass users are
updated?
How can I provision a new LastPass business account user if they don't have an
email address yet?
Passwordless Login for LastPass Business
For Users
About passwordless login for workstations
Which biometric authentication methods can I use for passwordless login?
For Admins
How do I create custom attributes for my SSO app in LastPass?
How do I enable step-up authentication for SSO apps as a LastPass admin?
FAQs
Does LastPass offer API Integrations?
What is Step-Up Authentication?
Does LastPass offer audit and reporting?
Does LastPass Business integrate with my existing SSO solution?
How does LastPass integrate with resources that need LDAP or RADIUS integration?
How does LastPass work with our email servers?
How easy is it to integrate LastPass with our existing company resources?
Does LastPass offer directory integrations for provisioning users?
Can multiple users share one account for a SAML application?
Can users log into SAML applications with credentials other than email?
LastPass Universal Proxy
Overview
What is LastPass Universal Proxy?
Using the LDAP over SSL (LDAPS) protocol in the LastPass Universal Proxy setup
Server mode default authentication methods
User mapping in LastPass Universal Proxy
Minimum software requirements for LastPass Universal Proxy
Setup
v5.0.x
LastPass Universal Proxy v5.0.x Overview
Docker version
Set up LastPass Universal Proxy v5.0.x Docker version
Download the LastPass Universal Proxy v5.0.x docker image
Upgrade LastPass Universal Proxy to v5.0.x Docker version
Rollback to LastPass Universal Proxy v5.x Docker version
Remove the LastPass Universal Proxy v5.0.x docker image
Windows executable version
Set up LastPass Universal Proxy v5.0.x Windows executable version
Download LastPass Universal Proxy v5.0.x Windows executable version
Install LastPass Universal Proxy v5.0.x Windows executable version
Upgrade LastPass Universal Proxy to v5.0.x Windows Executable version
Upgrade LastPass Universal Proxy v3.x to v5.0.x Windows Executable version
Rollback to LastPass Universal Proxy v4.2.3 on Windows
Disable or remove LastPass Universal Proxy v5.0.x Windows executable version
v4.x
Windows
Set up LastPass Universal Proxy v4.x
Download LastPass Universal Proxy v4.x
Find the integration key
Install LastPass Universal Proxy v4.x
Upgrade LastPass Universal Proxy to 4.x
Disable or remove LastPass Universal Proxy v4.x
Linux
Set up LastPass Universal Proxy v4.x on Linux
Download LastPass Universal Proxy v4.x on Linux
Install LastPass Universal Proxy v4.x on Linux
Remove LastPass Universal Proxy v4.x on Linux
Configure
v5.0.x
Docker version
Configure LastPass Universal Proxy v5.0.x Docker version
LastPass Universal Proxy v5.0.x LDAP configuration using command line
LastPass Universal Proxy v5.0.x LDAPS configuration using command line
LastPass Universal Proxy v5.0.x RADIUS configuration using command line
Windows executable version
Configure LastPass Universal Proxy v5.0.x using command line interface (CLI) on
Windows
LastPass Universal Proxy v5.0.x LDAP configuration using command line on Windows
LastPass Universal Proxy v5.0.x LDAPS configuration using command line on
Windows
LastPass Universal Proxy v5.0.x RADIUS configuration using command line on
Windows
How do I set up Network Policy Server (NPS) in Windows Server for LastPass
Universal Proxy RADIUS protocol?
Configure LastPass Universal Proxy v5.0.x with the server.properties
configuration file without using the CLI tool on Windows
Restrict access to my configuration file for the LastPass Universal Proxy v5.0.x
on Windows
PowerShell scripts in LastPass Universal Proxy v5.0.x
v4.x
Windows
Configure LastPass Universal Proxy 4.x using command line interface (CLI) on
Windows
LastPass Universal Proxy 4.x LDAP configuration using command line on Windows
LastPass Universal Proxy v4.x LDAPS configuration using command line on Windows
LastPass Universal Proxy 4.x RADIUS configuration using command line on Windows
Configure LastPass Universal Proxy 4.x with the server.properties configuration
file without using the CLI tool on Windows
Restrict access to my configuration file for the LastPass Universal Proxy 4.x on
Windows
PowerShell scripts in LastPass Universal Proxy v4.x
Linux
Configure LastPass Universal Proxy v4.x on Linux using command line interface
(CLI)
LastPass Universal Proxy v4.x LDAP configuration using command line on Linux
LastPass Universal Proxy v4.x LDAPS configuration using command line on Linux
LastPass Universal Proxy v4.x RADIUS configuration using command line on Linux
Configure LastPass Universal Proxy v4.x with the server.properties configuration
file on Linux without using the CLI tool
Universal Proxy v4.x configuration example on Linux
Restrict access to my configuration file for the LastPass Universal Proxy on
Linux
Assign Users
Provision users with a LastPass MFA account
Supported VPN Configurations
Cisco ASA VPN configuration for LastPass Universal Proxy
Cisco ASA VPN configuration for the LastPass Universal Proxy LDAP protocol
Cisco ASA VPN configuration for the LastPass Universal Proxy LDAP protocol on
Linux
Cisco ASA VPN configuration for the LastPass Universal Proxy LDAPS protocol
Cisco ASA VPN configuration for the LastPass Universal Proxy LDAPS protocol on
Linux
Cisco ASA VPN configuration for the LastPass Universal Proxy RADIUS protocol
Cisco CSR 1000v router configuration for AAA authentication with LastPass
Universal Proxy
F5 BIG-IP APM VPN configuration for LastPass Universal Proxy
F5 BIG-IP APM VPN configuration for the LastPass Universal Proxy LDAP protocol
F5 BIG-IP APM VPN configuration for the LastPass Universal Proxy LDAP protocol
on Linux
F5 BIG-IP APM VPN configuration for the LastPass Universal Proxy LDAPS protocol
F5 BIG-IP APM VPN configuration for the LastPass Universal Proxy LDAPS protocol
on Linux
F5 BIG-IP APM VPN configuration for the LastPass Universal Proxy RADIUS protocol
Fortinet VPN configuration for LastPass Universal Proxy
Fortinet VPN configuration for the LastPass Universal Proxy LDAP
Fortinet VPN configuration for the LastPass Universal Proxy LDAP on Linux
Fortinet VPN configuration for the LastPass Universal Proxy LDAPS protocol
Fortinet VPN configuration for the LastPass Universal Proxy LDAPS protocol on
Linux
Fortinet VPN configuration for the LastPass Universal Proxy RADIUS protocol
Meraki MX VPN configuration for LastPass Universal Proxy
Meraki MX VPN configuration for the LastPass Universal Proxy RADIUS protocol
OpenVPN Access Server VPN configuration for LastPass Universal Proxy
OpenVPN Access Server VPN configuration for the LastPass Universal Proxy LDAP
protocol
OpenVPN Access Server VPN configuration for the LastPass Universal Proxy LDAP
protocol on Linux
OpenVPN Access Server VPN configuration for the LastPass Universal Proxy LDAPS
protocol
OpenVPN Access Server VPN configuration for the LastPass Universal Proxy LDAPS
protocol on Linux
OpenVPN Access Server VPN configuration for the LastPass Universal Proxy RADIUS
protocol
OpenVPN Community Edition VPN configuration for LastPass Universal Proxy
OpenVPN Community Edition VPN configuration for the LastPass Universal Proxy
LDAP protocol
OpenVPN Community Edition VPN configuration for the LastPass Universal Proxy
LDAP protocol on Linux
OpenVPN Community Edition VPN configuration for the LastPass Universal Proxy
RADIUS protocol
Palo Alto Networks GlobalProtect configuration for LastPass Universal Proxy
Palo Alto Networks GlobalProtect configuration for the LastPass Universal Proxy
LDAP protocol
Palo Alto Networks GlobalProtect configuration for the LastPass Universal Proxy
LDAP protocol on Linux
Palo Alto Networks GlobalProtect configuration for the LastPass Universal Proxy
LDAPS protocol
Palo Alto Networks GlobalProtect configuration for the LastPass Universal Proxy
LDAPS protocol on Linux
Palo Alto Networks GlobalProtect configuration for the LastPass Universal Proxy
RADIUS protocol
How to check the timeout and cookie settings in Palo Alto Networks
GlobalProtect?
Pulse Secure VPN configuration for LastPass Universal Proxy
Pulse Secure VPN configuration for LastPass Universal Proxy LDAP protocol
Pulse Secure VPN configuration for LastPass Universal Proxy LDAP protocol on
Linux
Pulse Secure VPN configuration for the LastPass Universal Proxy LDAPS protocol
Pulse Secure VPN configuration for the LastPass Universal Proxy LDAPS protocol
on Linux
Pulse Secure VPN configuration for the LastPass Universal Proxy RADIUS protocol
SonicWall VPN configuration for LastPass Universal Proxy
SonicWall VPN configuration for the LastPass Universal Proxy RADIUS protocol
Sophos XG Firewall VPN configuration for LastPass Universal Proxy
Sophos XG Firewall VPN configuration for the LastPass Universal Proxy LDAP
protocol
Sophos XG Firewall VPN configuration for the LastPass Universal Proxy LDAP
protocol on Linux
Sophos XG Firewall VPN configuration for the LastPass Universal Proxy RADIUS
protocol
Troubleshooting
Configuration checklist for LastPass Universal Proxy using LDAP protocol on
Windows
Active Directory settings
VPN server configuration examples
Checklist for configuring Cisco ASA VPN
Checklist for configuring Fortinet VPN
Universal Proxy v5.0.x configuration example
Universal Proxy v4.x configuration example
LastPass settings for the test user
Testing the authentication
Testing Cisco ASA VPN
Testing Fortinet VPN
LastPass Universal Proxy Troubleshooting
v5.0.x
Docker version
How do I determine the current version of LastPass Universal Proxy v5.0.x?
How to validate if LastPass Universal Proxy v5.0.x can communicate with your
primary authentication server and/or LastPass Authentication Server?
How to set the log level in LastPass Universal Proxy v5.0.x?
How to gather diagnostic information for support about LastPass Universal Proxy
v5.0.x?
How do I run diagnostics for LastPass Universal Proxy v5.0.x?
Windows executable version
How do I determine the current version of LastPass Universal Proxy v5.0.x on
Windows?
How to validate if LastPass Universal Proxy v5.0.x can communicate with your
primary authentication server and/or LastPass Authentication Server on Windows?
How to set the log level in LastPass Universal Proxy v5.0.x on Windows?
How to gather diagnostic information for support about LastPass Universal Proxy
v5.0.x on Windows?
How do I run diagnostics for LastPass Universal Proxy v5.0.x on Windows?
v4.x
How do I run diagnostics for LastPass Universal Proxy v4.x?
Windows
How do I determine the current version of LastPass Universal Proxy v4.x on
Windows?
How to validate if LastPass Universal Proxy v4.x can communicate with your
primary authentication server and/or LastPass Authentication Server on Windows?
How to set the log level in LastPass Universal Proxy v4.x on Windows?
How to gather diagnostic information for support about LastPass Universal Proxy
v4.x on Windows?
Linux
How do I determine the current version of LastPass Universal Proxy v4.x on
Linux?
How to validate if LastPass Universal Proxy v4.x can communicate with your
primary authentication server and/or LastPass Authentication Server on Linux?
How to set the log level in LastPass Universal Proxy v4.x on Linux?
How to gather diagnostic information for support about LastPass Universal Proxy
v4.x on Linux?
Managed Companies (MSPs)
About managed companies for LastPass Business
Convert a LastPass Business account to support managed companies
Managed companies in LastPass Business admin FAQs
MSP License Management
About license management for managed companies in LastPass Business
Allocate more licenses to a managed company in LastPass Business
Return licenses from a managed company back to the primary account
MSP Company Management
Add a managed company in LastPass Business
Use templates to add a new managed company in LastPass Business
Access a managed company in LastPass Business
Suspend a managed company in LastPass Business
Reactivate a suspended managed company in LastPass Business
Detach a managed company in LastPass Business
Run reports for managed companies in LastPass Business
MSP Admin Management
About admin levels for managed companies
Manage custom admin levels in the MSP Admin Console
About custom admin level permissions in the MSP Admin Console
View and assign admin levels in the MSP Admin Console
MSP Advanced MFA
Enable the Advanced MFA add-on for a managed company
Disable the Advanced MFA add-on for a managed company
About Professional Services Automation (PSA) integrations for LastPass Business
Set up a Datto Autotask integration
Set up a ConnectWise PSA integration
ConnectWise user privileges for LastPass PSA integrations
Import companies from PSAs
How do I fix duplicate managed companies imported from my PSA?
Best practices for using the PSA billing integration update
Which ConnectWise capabilities do I need for the billing update?
Set up the PSA integration billing update
Map Autotask Services or ConnectWise Products
Map Autotask Accounts or ConnectWise Companies to LastPass
Map Autotask Contracts or ConnectWise Agreements
Update user counts for managed companies in a PSA
About PSA user counts update errors
Disable updating user counts for a managed company
Schedule PSA billing update
How am I notified on scheduled PSA billing updates?
Acronis Integration for LastPass Business
Set up the Acronis integration for LastPass Business
Manage LastPass Business users in Acronis
Reset the Acronis integration for LastPass Business
New Admin Console
FAQs
What is the new Admin Console in LastPass?
New Admin Console FAQs
What's new in the LastPass Admin Console?
Why am I seeing a different number of Pending invitation users in the new Admin
Console than Invited in the old console?
Why am I seeing a different number of Enrolled users in the new Admin Console
than Active in the old console?
Where can I find the CID (account number) and API secret?
How do I force new policies to apply to all LastPass users immediately?
Where can I find the "Last login" information?
Transitioning to the new Admin Console - FAQ and Guide for existing accounts
LastPass Admin Console statuses
Why are security metrics different in the old Admin Console and the new Admin
Console?
New Admin Console continuous improvements
Dashboard
The Adoption dashboard in the new Admin Console
Adoption dashboard overview in the new Admin Console
Rates in the Adoption dashboard
The Security dashboard in the new Admin Console
View security score details of users
Why do I see "0", "N/A", or a blank value as the master password score for my
user?
Onboarding experience for LastPass Business users
Users
Users
Manually add users in the new Admin Console
Upload a CSV list of users in the new Admin Console
Manage users in the new Admin Console
About terminating users in the new Admin Console
Manually terminate users in the new Admin Console
Transfer a user's stored vault data to another user
Reset a user's master password (super admin)
Enable the "Permit super admins to reset master passwords" policy
Recovery key sharing between admins
Force active users to log off from LastPass
About the encryption process when a super admin resets a master password
Require master password change in the new Admin Console
Require master password change in the old Admin Console
Destroy all LastPass sessions and force user logoff
View user statuses in the new Admin Console
Filter LastPass users in the new Admin Console
Take action on filtered users in the new Admin Console
Customize the user table view in the new Admin Console
I customized my table view settings for my Users page, why did it revert back to
the default view?
View LastPass user details in the new Admin Console
Export a list of users in the new Admin Console
Groups
Manage groups in the new Admin Console
Add a group manually in the new Admin Console
Edit or delete a group in the new Admin Console
Manage users for groups in the new Admin Console
View group policies for users in the new Admin Console
Take action on a user group within the new Admin Console
Admins
What are admin levels?
Best practices for using a service account in LastPass Business
View and assign admin levels in the new Admin Console
Manage custom admin levels in the new Admin Console
About custom admin level permissions
Remove a user from an admin level in the new Admin Console
Directories
Use directory integrations for automated provisioning in the new Admin Console
How do I reset my provisioning token for a directory integration?
How do I reset my API key for the LastPass AD Connector?
Applications
SSO apps
About LastPass App Integrations
For Users
Sign in to SSO apps for LastPass
Sign in to an SSO app from the app's sign-in page
Sign in to an SSO app while logged out of LastPass
Sign in to an SSO app from the LastPass browser extension
Sign in to an SSO app from within your LastPass vault
For Admins
Add SSO apps for LastPass users
Manage LastPass SSO Apps
Delete LastPass SSO Apps
FAQs
What types of apps can be integrated with LastPass?
I can't find an application in the LastPass app catalog, can I set up my own
custom SSO app?
We are already using another SSO solution. How do I turn off the "Cloud Apps"
option for my end users?
We have multiple accounts for an application, and different teams are using
separate accounts. Can I add and manage all accounts?
Convert certificates from PEM format to DER format
MFA apps
Add MFA Apps for LastPass users
Remove MFA Apps for LastPass users
Manage users and groups assigned to MFA apps
Workstation MFA
What is Workstation MFA for LastPass?
System requirements for LastPass Workstation MFA
What is offline authentication for Workstation MFA?
Enable passwordless login for Workstation MFA
LastPass Workstation MFA FAQs
Migrate users from Workstation Login to Workstation MFA in LastPass
Windows
For Users
Sign in to your Windows workstation using LastPass Workstation MFA
Sign in to your workstation via RDP using LastPass Workstation MFA
Sign in to your Windows workstation using offline authentication
How do I pair my Windows workstation again for offline authentication?
How do I change my Windows password but keep offline authentication enabled?
Troubleshooting offline authentication for Windows workstations
Sign in to your Windows workstation using passwordless login
Uninstall Workstation MFA for Windows
Restore passwordless login for a Windows workstation
For Admins
Set up LastPass Workstation MFA for Windows
Step #1: Review account and system requirements
Step #2: Set up automated provisioning
Step #3: End users enroll the LastPass Authenticator app
Step #4: Download the Workstation MFA installer package
Install Workstation MFA for Windows on a single workstation
Deploy Workstation MFA for Windows across multiple workstations
Enable RDP access for LastPass Workstation MFA
Update LastPass Workstation MFA for Windows
Set up and view debug logging for Workstation MFA for Windows
Hide all other Windows credential providers except for LastPass Workstation MFA
Mac
For Users
Sign in to your Mac workstation using LastPass Workstation MFA
Sign in to your workstation via RDP using LastPass Workstation MFA
Sign in to your Mac workstation using offline authentication
How do I pair my Mac workstation again but keep offline authentication enabled?
How do I change my Mac password but keep offline authentication enabled?
Troubleshooting offline authentication for Mac workstations
Sign in to your Mac workstation using passwordless login
Uninstall Workstation MFA for Mac
Error code 8: Something went wrong with LastPass authentication
For Admins
Set up LastPass Workstation MFA for Mac
Download and configure the Workstation MFA installer for Mac
Enable RDP access for LastPass Workstation MFA
Update LastPass Workstation MFA for Mac
Generate logs for Workstation MFA for macOS
Universal Proxy
How do I set up LastPass MFA for VPN (Universal Proxy)?
Password apps
Push password apps to users (no longer available)
Share passwords with groups in LastPass Business
Shared folders
Manage shared folders as a LastPass Business admin
Policies
Manage general policies in the new Admin Console
Add a multifactor policy in the new Admin Console
Manage the hash iterations policy for LastPass Business
Manage the "Send email for aged passwords in vaults" policy
Passwordless Login Policies
Manage the passwordless login for vault policy
Manage the passwordless login for vault on mobile policy
Reporting
Create general reports in the new Admin Console
Export user activity event reports in the new Admin Console
Export admin activity event reports in the new Admin Console
Logging URLs in General reports and SIEM
View site login activity in the new Admin Console
View security reports in the new Admin Console
Advanced
Manage advanced enterprise options in the new Admin Console
Manage URL rules for users in the new Admin Console
Manage Global Never and Global Only URLs for users in the new Admin Console
Manage multifactor authentication options for users in the new Admin Console
Install the LastPass software using the new Admin Console
Install LastPass using a manual GUI installer for Windows
Install LastPass using an automated silent installer for Windows
Which features are included by default in the LastPass installers for Windows?
How do I limit features, configure parameters, and enable logging when deploying
the LastPass silent installer for Windows?
Install LastPass using a manual GUI installer for macOS
Install LastPass using an automated silent installer for macOS
Deploy the LastPass Mac App using Apple Business Manager
SIEM Integrations
SIEM integrations at LastPass
Integrate Microsoft Azure Sentinel with your LastPass Business account
Integrate Splunk with your LastPass Business account
Guides and Resources
LastPass Technical Whitepaper (PDF)
LastPass Business Toolkits
Use the LastPass Admin Toolkit
Evaluation
Implementation
Awareness
Education
LastPass Business Toolkits for Admins and Users
LastPass Admin Toolkit: Using Single Sign-On (SSO)
LastPass Admin Toolkit: LastPass Passwordless Login & Workstation MFA
LastPass Admin Toolkit: LastPass MFA apps
LastPass End User Toolkit
Getting started resources
Managing LastPass Account Settings
Protecting your data with your master password
Setting up all account recovery options
Managing automatic logout
Navigating your LastPass vault
Logging in to sites using LastPass
Compliance, risks and security resources
Cybersecurity Awareness Month Toolkit
Protect Yourself from Social Engineering Attacks
Phishing, Smishing, and Vishing
Protect Yourself from Phishing
Phishing Scam Example Scenarios
Social Engineering on Dating Apps and Social Media
Recommendations for Protecting Yourself From Social Engineering Attacks
LastPass Business Deployment Guides
LastPass MFA Deployment Guide
Step #1: Deployment Planning
Step #2: Provisioning
Step #3: Configuration & Testing
Step #4: Policies & Reports
Step #5: End User Communication
Step #6: Official Announcement and Training
Step #7: Deployment
LastPass Security Features Overview (PDF)
Welcome to LastPass Executive Email Template (DOC)
Welcome to LastPass Company Email Template (DOC)
LastPass Business Helpdesk Guide for Admins (PDF)
LastPass Business MSP Deployment and Adoption Guide (PDF)
LastPass End-User Desk Reference Guide (PDF)
LastPass Sample Import sheet (CSV)
LastPass Secure Note Import Samples (ZIP)
LastPass for Firefox Policies (JSON)
W-9 Form (PDF)
LastPass Enterprise API Postman Collection (ZIP)
LastPass Glossary
info
Close
LASTPASS GUIDE
Download this document as a PDF
Save selected topic
Save selected topic and subtopics
Open Attachments
Attachments
Select AllDownload
Attachments
Close
Select AllDownload
Send us your feedback
Share this page
Copy link
Share via email
Share to Facebook
Share to Twitter
Share to LinkedIn
Save selected topic
Save selected topic and subtopics
Open Attachments
Send Feedback
Share Page
SECURITY BULLETIN: RECOMMENDED ACTIONS FOR LASTPASS BUSINESS ADMINISTRATORS
Download this document as a PDF
Save selected topic
Save selected topic and subtopics
Open Attachments
Attachments
Select AllDownload
Attachments
Close
Select AllDownload
Send us your feedback
Share this page
Copy link
Share via email
Share to Facebook
Share to Twitter
Share to LinkedIn
Save selected topic
Save selected topic and subtopics
Open Attachments
Send Feedback
Share Page
Also in
Mar 01, 2023
17 min read
×
SECURITY BULLETIN: RECOMMENDED ACTIONS FOR LASTPASS BUSINESS ADMINISTRATORS
OVERVIEW
In response to the recent LastPass security incident, we have created this guide
to help you assess and understand what actions you should take to protect your
business.
Note: To read the complete update on the security incident from our CEO, Karim
Toubba, visit the LastPass blog.
This document is for LastPass Business admins and security analysts. It outlines
the reporting and remediation steps necessary to reduce the impact of
unauthorized access to LastPass information associated with your organization.
We suggest reviewing these topics in the order presented. Focus on items
relevant to your specific LastPass deployment and configuration:
1. Master password length and complexity
2. Iteration counts for master passwords
3. Super admin best practices
4. MFA shared secrets
5. SIEM Splunk integration
6. Exposure due to unencrypted data
7. Deprecation of Password apps (Push Sites to Users)
8. Reset SCIM, Enterprise API, SAML keys
9. Federated customer considerations
10. Additional considerations
Each section presents reporting options to help identify users or data that may
be at risk, as well as remediation tasks that may be performed by either a
LastPass admin and/or end users.
TOPIC 1: MASTER PASSWORD LENGTH AND COMPLEXITY
LastPass uses the master password and username to create a unique encryption key
that keeps sensitive data from being exposed. Without the encryption key, nobody
has access to the encrypted data in a user’s vault.
For all non-federated users in a LastPass Business account, it is important to
enable policies that ensure each end user creates a strong and unique master
password for their vault. The master password should be at least 12 characters
long. Longer is better, and a computer-generated random password is best,
particularly when using all available character sets (alphanumeric, special
characters, and symbols).
For businesses who make use of federation, policies controlling master passwords
don’t apply since your users do not make use of a master password. Instead,
federated users leverage a 256-bit “hidden master password” made up of two or
three (depending on implementation model) unique cryptographically generated
random 256-bit split knowledge components which are stored separately and then
combined mathematically to create the key used to encrypt/decrypt data once
passed through SHA256. Please see here for more information. Federation provides
a significant defensive advantage against brute force attacks against a stolen
vault. However, see Topic 9: Federated customer considerations for an important
update related to split knowledge component security.
TASK 1.1: REVIEW MASTER PASSWORD POLICIES AND ENFORCE STRONG MASTER PASSWORDS
The Admin Console offers numerous policies that help you force users to create
and maintain strong master passwords.
Enable these policies for non-federated users:
* Length of master password – Set the value to at least 12. Ideally, consider
using a 16- or 20-character minimum master password length. A
computer-generated random password is best.
* Require master password change when reuse detected – This forces users to
change their master password if we detect that it matches the password for
any site in their vault.
* Prohibit reuse of old master passwords – Consider a high value to prevent
reuse over time. For context, Microsoft suggests blocking the reuse of the
last 24 Active Directory passwords.
* Minimum character sets in master password – Set this to at least 2. Consider
requiring master passwords from 3 character sets, but remember that length
wins over complexity.
This support article describes these policies in greater detail.
TASK 1.2: REVIEW SECURITY REPORTS RELATED TO MASTER PASSWORDS
After setting master password policies, generate reports that help identify
additional remedial actions that may apply to some users.
1. In the Admin Console, go to Reporting > Security reports.
2. Look for these reports:
* Reused master password. Identify users who are reusing their master
password on other sites. Learn more about this security report.
* Weak master password. Identify users with a weak master password. Learn
more about this security report.
TASK 1.3 (OPTIONAL): RESET SELECT MASTER PASSWORDS
Depending on the security profile of your users’ master password complexity and
iteration count (Topic 2 below), you may want to force those users to reset
their master passwords. You may also ask them to use a risk-based approach to
prioritize the rotation of critical credentials saved in such vaults. To force a
master password reset, follow these steps.
TOPIC 2: ITERATION COUNTS FOR MASTER PASSWORD
LastPass makes use of the Password Based Key Derivation Function (PBKDF2) which
makes it harder for someone to guess your account password through a brute-force
attack. Each round of PBKDF2 hashing converts your original input – the master
password – into a unique encryption key using hashing. This type of hashing
can’t be reversed. The more PBKDF2 iterations you apply, the more secure the
encryption key will be and the harder it will be to guess.
TASK 2.1: REVIEW USERS' MASTER PASSWORD ITERATION COUNT SETTINGS
To maximize security for your users, review user iteration count settings and
act as required. Here’s how to check iteration values for all users in your
organization:
1. In the Admin Console, go to Reporting > Security reports.
2. Run the User iteration counts report. Read this support article for more
information about running this report.
In January 2023, OWASP updated the recommended number of PBKDF2 iterations to
600,000. In alignment to that revised guidance, we are increasing our default
minimum iteration count to 600,000 iterations.
Recommendations:
* Our default setting since 2019 has been 100,100 iterations. Nonetheless, for
a number of reasons, there may be users in your organization whose iteration
count falls below this level. If you identify users with a value less than
100,100 iterations, take note of them as users with more relative risk and
instruct them to set the “Password iterations” value in their LastPass vault
account settings to 600,000 iterations, as documented in this support
article.
* Currently the only way to reset existing users’ PBKDF2 iterations is to
manually configure it in the LastPass vault Account Settings. In the coming
weeks we’ll provide the ability to set the iteration value for all users
through policy in the Admin Console to the recommended minimum of 600,000.
Individual users won't need to set this value manually. Additionally, at that
time, all new users will have their minimum iterations set to 600,000.
* If you have end users with linked personal accounts, instruct them to
manually increase their iterations to 600,000 in their personal account's
Account Settings, as documented in this support article.
* In the coming months, we will be modifying this behavior and automatically
upgrading all personal accounts to the revised minimum required iterations.
We will notify Business admins before this takes place.
TASK 2.2: REVIEW SHARED FOLDERS ACCESSED BY USERS WITH A LOW ITERATION COUNT
Generate the Shared folders accessed by low iteration count users report to view
a list of shared folders that can be accessed by users with a low iteration
count. Here's how:
1. In the Admin Console, go to Reporting > Security reports.
2. Run the Shared folders accessed by low iteration count users report.
3. Use a risk-based approach to prioritize the rotation of critical credentials
saved in these shared folders.
4. Additionally, make sure these users increase their iteration count (Task 2.1
above).
TOPIC 3: SUPER ADMIN BEST PRACTICES
A “super admin” is a LastPass user with additional privileges above those of a
regular administrator. As the name implies, they have privileged access to your
LastPass tenant, particularly for resolving emergency situations. They
potentially can reset the master password of any user in your account, and they
have extensive rights to deploy, configure, and manage LastPass. They also may
have access to all shared folders in your account. This access level is based on
two policy settings for your LastPass tenant
Given their extensive powers, super admins should always have exceptionally
strong master passwords and an appropriate iteration count. It is normally
recommended that super admin accounts are only set up for “break glass”
situations where special access is needed.
TASK 3.1: ENSURE SUPER ADMINS FOLLOW MASTER PASSWORD AND ITERATIONS BEST
PRACTICES
Whether or not you’re using federation, we recommend having at least one super
admin who isn’t federated and who has set a master password for their vault. All
master password strength and complexity policies apply to these users. As
described above, ensure that your super admin users have strong master passwords
and strong iteration counts.
TASK 3.2: REVIEW SUPER ADMINS WITH “PERMIT SUPER ADMINS TO RESET MASTER
PASSWORDS” POLICY RIGHTS AND WEAK MASTER PASSWORDS/ITERATIONS
If the policy Permit super admins to reset master passwords is enabled AND you
identify super admins with a weak master password and/or low iterations, your
LastPass tenant may be at risk. A comprehensive security review should be
implemented to determine what further actions should be taken to secure your
LastPass Business account.
In the case where you’ve identified at-risk super admin accounts, you might
consider the following remediation actions if best practices for highly
privileged accounts have not been followed:
[HIGH IMPACT/OPTIONAL] Task 3.2.1: Federated login customers only: Consider
de-federating and re-federating all users and request users to rotate all vault
credentials
* ONLY consider doing this if you determine your super admin has a weak master
password or iteration count, defederate and re-federate your users, as
documented in this support article.
This resets the shared keys between end users and super admins and prevents
compromised super admin accounts from being used for further wrongdoing.
* We then suggest using a risk-based approach to prioritize the rotation of
critical credentials in end user vaults. Again, this is only suggested if you
determine your super admin has a weak master password or iteration count.
[HIGH IMPACT/OPTIONAL] Task 3.2.2: Non-federated login customers only: Consider
resetting user master passwords and request users to rotate all vault
credentials
* ONLY consider doing this if you determine your super admin has a weak master
password or iteration count. Review your master password policies outlined
above in Task 1.1. Once complete, reset your users’ master passwords. This
process is documented in this support article. This resets the shared keys
between end users and super admins and prevents compromised super admin
accounts from being used for further wrongdoing.
* We then suggest using a risk-based approach to prioritize the rotation of
critical credentials in end user vaults. Again, this is only suggested if you
determine your super admin has a weak master password or iteration count.
TASK 3.3: REVIEW SUPER ADMINS WITH "PERMIT SUPER ADMINS TO ACCESS SHARED
FOLDERS" RIGHTS
If the policy Permit super admins to access shared folders is enabled AND you
identify super admins with a weak master password and/or low iterations, you
should take the following steps:
* Make sure you reset the master password of the super admin as discussed in
Task 3.1 above.
* Using a risk-based approach, you should rotate the credentials in your shared
folders. The credential URLs for all shared folders can be reported in the
Admin Console. Go to Reporting > Security reports and select the URLs in
shared folders report.
TOPIC 4: MFA SHARED SECRETS
This topic applies only to non-federated users who have enabled MFA access to
their vaults.
Note: Since federated users are prompted with MFA access through their
organization’s Identity Provider, they don’t need to take any action around MFA.
However, break-glass super admins (which are required for federated login), and
non-federated users should have MFA enforced. Admins should follow the steps
below.
TASK 4.1: RESET SHARED SECRETS FOR NON-FEDERATED CUSTOMERS
1. In the Admin Console, go to Reporting > Security reports.
2. Generate the Enabled multifactor report to show users who have enabled an
MFA option, including the MFA solutions they are using, as documented here.
3. For users of the LastPass Authenticator, Google Authenticator, or Microsoft
Authenticator, reset all MFA secrets as documented here.
Important: Since resetting MFA shared secrets destroys all LastPass sessions
and trusted devices for these users, these users will need to log back in,
go through location verification, and re-enable their respective MFA apps to
continue using the service. We recommend sending an email providing
information on the re-enrollment process.
Here's a sample email that helps them understand what to expect and what
they need to do. Feel free to use it and adapt it to your organization's
voice and needs.
Subject:
Action required: Reset your authenticator app
Hello,
To help maintain the security of our organizational assets, we're resetting multifactor authentication for everyone using LastPass.
Here's what you'll notice shortly:
• You'll no longer be logged into LastPass anywhere you were using it
• Your current multifactor authentication option for LastPass will be invalidated and will no longer work
Here's what to do after you've been logged out of LastPass:
1. In your browser, log in to LastPass again. An error message is displayed asking you to verify your login
attempt via email.
2. In the email from LastPass, click the red button to verify your device/location.
3. Log in to LastPass again. Since you verified yourself in the previous step, you shouldn’t be asked for
additional verification.
4. When LastPass asks you to “meet company requirements and set up multifactor authentication”, follow
the on-screen instructions. You should then see a page asking you to “Pair your authentication application
app”.
Feel free to contact us with questions or concerns.
Thank you,
4. For users of Duo Security, Symantec VIP, RSA SecurID, or SecureAuth,
regenerate the shared secret for each respective MFA solution and paste the
new shared secret into the respective MFA app configuration in the Admin
Console. You can find instructions for each MFA solution here:
* Manual steps to reset RSA SecurID
* Manual steps to reset Duo Security
* Manual steps to reset Symantec VIP
* Manual steps to reset SecureAuth
Note: Once you regenerate the MFA shared secret, your users won’t be able to
log in to LastPass until you paste the new shared secret in the LastPass MFA
configuration. Once you’ve done this, your end users will be all set.
Tip: We highly recommend you perform these actions (in Task 4.1 above)
outside of your organization's standard business hours to minimize impact on
your users.
TOPIC 5: SIEM SPLUNK INTEGRATION
This topic applies only to customers using the SIEM Splunk integration.
Customers with this integration need to reset their instance token. For those
customers that do not take action, LastPass will invalidate those tokens on
April 30, 2023.
TASK 5.1: UPDATE SPLUNK INSTANCE TOKEN
If the SIEM Splunk integration is configured in your environment, generate a new
Splunk Instance Token and update/rotate it in the Admin Console under Advanced >
Enterprise options > Splunk integration. Read this support article for
additional information on generating a Splunk Instance Token.
TOPIC 6: EXPOSURE DUE TO UNENCRYPTED DATA
As indicated in our blog, the threat actor obtained both encrypted and
unencrypted data stored in our customer and vault databases. To review this
information, please refer to the section in our latest update titled “What Data
Was Accessed?” as detailed information about the specific data accessed in each
environment can be found there.
TASK 6.1: GENERATE URL REPORTS TO ASSESS RISK
To see all URLs associated with your company’s users and shared folders, in the
Admin Console, go to Reporting > Security reports and run the newly added URLs
in vaults and URLs in shared folders reports.
These reports give you an understanding to the risk of any exposed URLs and any
associated session IDs or parameters stored with these URLs. Because these URLs
are unencrypted in the vault, they could potentially introduce various threat
models. These include the following:
* Credential Stuffing – When a site username in a user’s vault is the same as
their LastPass account email, a threat actor can use this to potentially
launch credential stuffing attacks against websites to attempt login using
lists of compromised website credentials obtained from various breaches.
* Phishing – A threat actor could send targeted emails/texts asking your users
to reset their LastPass master password or any other password saved in their
LastPass vault.
* Other Social Engineering – Combining the email address, physical address, or
phone number of a user and/or business, a threat actor may be able to contact
your users and attempt to extract information that guides them to additional
targets.
TASK 6.2: (OPTIONAL) COMMUNICATE WITH USERS ABOUT RISKS
Depending on your needs, you may want to communicate with your users about the
risks discussed above. Here’s a sample email. Feel free to use it and adapt it
to your organization's voice and needs.
Subject:
Security note: Phishing and Social Engineering warning
Hello,
To help maintain the security of our organizational assets, please review this information.
• Phishing – Be on the lookout for emails/texts asking you to reset your LastPass master password or any other password in your LastPass vault.
• Social Engineering – Bad actors may try use your personal information (such as your email address, physical
address, or phone number) to lure you into providing information that could lead them to additional information or targets.
Remember to always stay vigilant as you work online. Contact us with questions or to report suspicious activity.
Thank you,
TOPIC 7: DEPRECATION OF PASSWORD APPS (PUSH SITES TO USERS)
This topic applies only to customers using the Password apps feature (also known
as Push Sites to Users in the legacy Admin Console). This feature formerly
facilitated the placement of sites or apps into users’ vaults. If you use this
feature, please be aware that it is being retired and we are asking you to take
our recommended action.
As described in the product configuration section and documentation, this
feature did not follow our Zero Knowledge model and allowed data to be stored in
unencrypted form.
TASK 7.1: STOP USING PUSH SITES/APPS TO USERS AND TAKE REMEDIAL ACTION
Read this support article for recommended protective measures and safer ways to
share sites and apps.
TOPIC 8: RESET SCIM, ENTERPRISE API, AND SAML KEYS
In December, we notified a subset of customers whose SCIM, Enterprise API, and
SAML keys were stored in unencrypted form. This only affected customers who
joined LastPass and used these services in 2019 or before.
On February 16th, 2023, we invalided these SCIM, Enterprise API, and SAML keys
for all affected customers who had not already reset their keys manually per the
information we previously communicated.
TOPIC 9: FEDERATED CUSTOMER CONSIDERATIONS
Federated login integrates an Identity Provider with a service provider (in this
case, LastPass) so that when a user is authenticated into the Identity Provider,
they will also be logged into the service provider. In terms of LastPass, this
means the need for using a separate master password is eliminated for users with
federated login.
As discussed above, federated business customers do not make use of a
user-created master password. Instead, they use a 256-bit “hidden master
password” made up of two or three (depending on implementation model) unique
cryptographically generated random 256-bit split knowledge components which are
stored separately and then combined mathematically to create the key used to
encrypt/decrypt data once passed through SHA256. Please see this support article
for more information.
In federated scenarios, the K1 split knowledge component is stored in the
customer’s identity provider (IDP, such as Microsoft Azure, Okta, etc.) while
the K2 split knowledge component is stored in LastPass production database
servers. Without both components, it is infeasible that a threat actor would be
able to either brute force or guess the resulting key needed to authenticate and
decrypt entries in a vault.
The K2 component was exfiltrated by the threat actor as it was stored in the
encrypted backups of the LastPass MFA/Federation Database for which the threat
actor had decryption keys. The security reference model we implemented for split
knowledge was chosen to defend against this specific situation where knowledge
of only one of the split knowledge components would give away nothing of the
resulting key.
In order to gain access to the elements needed to decrypt an offline vault or
access an online vault through SSO, a threat actor would need to combine both
the K1 and K2 components to derive the resulting key and then manipulate the SSO
connection to initiate access. Access to both keys would represent a complicated
set of actions.
As a LastPass admin, you will need to weigh the risks of how you have secured
your IDP environment to prevent access to the K1 components based on the
security capabilities of your IDP.
If, based on your security posture or risk tolerance, you decide to rotate the
K1 and K2 split knowledge components, you will need to defederate and
re-federate your users. You can learn more about this process in this support
article.
TOPIC 10: ADDITIONAL CONSIDERATIONS
In addition to the tasks above, these best practices provide additional
protection to you and your users. Consider implementing each of these.
TASK 10.1: REVIEW VAULT ITEM PASSWORD POLICIES
Long, strong, and unique website passwords are more difficult to brute force and
reduce the likelihood of successful credential stuffing on websites exposed by
URLs in the clear.
1. Review the policies that are enabled/available for site password length and
complexity.
2. Consider enabling the Length of site passwords and Send email for aged
passwords in vaults policies to help users generate long, strong & complex
website passwords at the desired time interval.
Note: Updated May 2024: The "Send email for aged passwords in vaults" policy
has replaced the "Password expiration notification” policy.
TASK 10.2: REVIEW USER SECURITY SCORES AND REMEDIATE AS REQUIRED
1. In the Admin Console, go to Reporting > Security reports.
2. Run the Weak security score report. This provides a list of users with a
weak security score.
For more information on how the security score is calculated, read this
support article.
3. For compromised, weak, and/or reused passwords, prompt users identified to
change those passwords in their vault. LastPass Business offers over a dozen
email notifications which can automatically notify users of what specific
actions they need to take to improve their password hygiene.
TASK 10.3: (OPTIONAL) ENABLE DARK WEB MONITORING FOR YOUR USERS
Enable the Control dark web monitoring policy and set the value to 2. This
forcibly enables dark web monitoring for every username saved in your users’
LastPass vaults. This triggers email notifications directly to users, and
administrators can review at-risk users in the Admin Console’s security report
under “Unresolved dark web monitoring alerts".
Ideally, encourage users to familiarize themselves with dark web monitoring and
other Security Dashboard features so they can track their password hygiene and
take recommended actions to improve their online security.
TASK 10.4: REVIEW SECURITY OF SHARED FOLDERS
The ongoing risk assessment and governance of shared folders in LastPass
Business should always be considered by admins and security analysts. This is
especially true when shared folders contain sensitive access information for
outside third-party services. Here are some general guidelines for shared folder
governance:
* Folders should only be shared with those who require specific access on the
principle of least privilege. Access can be administrated within LastPass
using individual sharing invitations or through group-level access. The
granularity of group-level access needs to be balanced with ongoing
maintenance and least privilege governance.
* All users with access to shared folders should have adequately strong master
passwords and iteration counts. For guidance, please review Topic 1 and Topic
2 in this document.
* We also encourage your admins or security analysts to leverage the URLs in
vaults report to help govern the password items stored in shared folder
(Admin Console > Reporting > Security reports > URLs in vaults).
* Depending on the relative sensitivity of a given item in a shared folder,
items should be regularly rotated to ensure ongoing security as employees
leave the organization.
FOR FURTHER INFORMATION...
We hope that this guide has helped you to understand how best to respond to the
recent LastPass security incident in a way that meets your security posture and
business needs.
If you require additional information, please contact the LastPass Customer
Success Manager assigned to your account. If you don’t have a dedicated LastPass
Customer Success Manager, contact the LastPass Care organization to open a
support ticket at https://link.lastpass.com/support-ticket.
TagsUserArticles
Prev
LastPass Security Incident Summary
Next
Security Bulletin: Recommended Actions for Free, Premium, and Families Customers
Close
SHARE THIS PAGE
Close
SEND US YOUR FEEDBACK
*What would you like to tell us about this page?
Complete this field.
Emails submitted here will not receive a response
Send FeedbackCancel
Close
THANK YOU
Thank you for submitting your feedback
Close
On this page:
Overview
Topic 1: Master password length and complexity
Topic 2: Iteration counts for master password
Topic 3: Super admin best practices
Topic 4: MFA shared secrets
Topic 5: SIEM Splunk integration
Topic 6: Exposure due to unencrypted data
Topic 7: Deprecation of Password apps (Push Sites to Users)
Topic 8: Reset SCIM, Enterprise API, and SAML Keys
Topic 9: Federated customer considerations
Topic 10: Additional considerations
For further information...
If you need additional support after reading this article, please contact us
below.
Contact Support
EnglishDutchFrenchGermanItalianSpanishPortuguese About Us Terms of Service
Privacy Policy Copyright © 2024 LastPass US LP, All Rights Reserved.
Loading