I am new to LastPass and I was shocked when I realised that, once I logged in to LastPass browser extension, I could open my vault and view all the passwords even after I had exited my browser and reopened it.
How is this even safe? Is there any way to let LastPass ask for verification before openning my vault or viewing any passwords? If it is not possible, is it advisable to switch to Google Password Manager or similar?
15 Answers
The Lastpass options available differ quite remarkably between the browser extensions and the website.
To require the master password for every site password view:
- Login to your account on the website ()
- Click "Account Settings"
- Open the advanced settings (Button at the bottom of the popover)
- Look for the section "Warnings", then choose your liking among "Master Password Re-Entry"
I agree that this process unnecessarily convoluted and cumbersome.
Personally, I rarely ever need to actually see a password. I let Lastpass fill out the credentials for me and this works very well on most sites.
However, I suggest you use a second factor like TOTP (wit Google's Authenticator for example) for account login.
You need to edit your Lastpass preferences. In Firefox, if I click on the icon for the Lastpass extension and go to Preferences, I can check "Automatically Log out when all browsers are closed", and/or "Automatically Log out after idle (mins)". You can also enable the password reprompt as suggested by other answers.
It's up to you what level of security vs. convenience tradeoff you want to make. The default of staying logged in probably assumes you are on a private computer which will be locked by the OS when you're away from the computer, but that assumption obviously isn't safe in all circumstances.
2You can always instruct LastPass to prompt you for password before showing you the password.
- Enter edit password page
- click on the "advanced settings" at the bottom
- check the "require password reprompt" box
- save it
You now need to enter your vault password every time you want to know the stored password.
The caveat is that LastPass doesn't offer a vault-wide settings for password repormpt, so you need to set each item manually.
As suggested by @Marcel that there is a vault wide setting under Account Settings > General > Show Advanced Settings, you can instruct LastPass to reprompt vault password for accessing certain item type/action.
2The option to log you out of the Chrome browser extension can be found in the extension settings page
To get decent security with auto logout, I recommend the following:
Step 1 - Chrome extension auto logout
Go to chrome extensions
Click on LastPass extension Details
Find and click on Extension Options (scroll down if necessary)
Check both logout boxes and set it to a short time like 10min
Step 2 - Website Auto-Logoff & Bookmarklet Auto-Logoff
Read the docs for more details
I think a lot of people don't understand the problem.
The LastPass broswer extension allows you to access the entire vault without entering a master password! The only option is to then lock your computer if you get up in a public space.
I just logged into lastpass.com which looks identical to the browser extension, but it does require you to enter the master password.
Sorry, maybe this is a dumb solution, but you can always ditch the browser extension and use the Windows/Mac desktop application instead. Unfortunately, it is not free
"Please note that the desktop application is not available to LastPass Free account users."
