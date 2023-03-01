Passwords are one of the most important pieces of information that protect your privacy and security online. It is often recommended to use unique and complex passwords for each online account. However, remembering all those passwords is difficult. This is where password managers come into play, such as LastPass, a manager that was recently hacked, and which has already given instructions on what we should do to avoid problems.

In this guide, we are going to discuss how to secure your LastPass vault against potential brute force attacks. This guide is divided into four main topics: Your Master Password, Master Password Hash Iterations, Assessing the Health of Your Passwords, Multi-Factor Authentication (MFA) for Your Vault.

First and foremost, create a strong and unique Master Password that is at least 12 characters long, but ideally 16-20. LastPass uses the Master Password and username to create a unique encryption key that prevents data exposure. sensitive. The longer and more complex the master password, the stronger the encryption key. Without the encryption key, no one, including LastPass or malicious actors, has access to unencrypted data in a user’s vault.

We recommend following the following best practices to create your master password:

Use a minimum of 12 characters, but longer is better.

Use at least one uppercase letter, one lowercase letter, one number, and one symbol.

Make sure it’s unique (don’t use it anywhere else).

Do not use personal information.

To maximize your security, use a randomly generated Master Password.

Hash iterations for the master password

LastPass uses the Password Based Key Derivation Feature (PBKDF2), which makes it more difficult for someone to guess your account password using a brute force attack. Each round of hashing PBKDF2 converts your original input, the master password, into a unique encryption key using hashing. This type of hashing cannot be reversed. The more iterations of PBKDF2 you apply, the stronger the encryption key becomes and the more difficult it becomes to guess.

We recommend reviewing and increasing your master password iteration settings. In January 2023, OWASP updated its recommended number of iterations of PBKDF2 to 600,000. In response, we are increasing our default minimum iteration count to 600,000. Change your iteration value to 600,000 in your account settings, as documented in this support article.

Evaluation of the health of your passwords

It is important to have strong and unique passwords on your vault. Ideally, passwords are at least 12 characters long and contain upper and lower case letters, numbers, symbols, and special characters. It is recommended to use a random password generator to ensure that predictable or easily guessed passwords are not used.

LastPass offers a security dashboard that shows your security score and dark web monitoring alerts. Reviewing your passwords and updating them is a good practice to improve your password hygiene.

Multi-factor authentication (MFA) for your vault

Multi-Factor Authentication (MFA) is an additional layer of security that you can enable within LastPass. Adds a second step before you can access your account, which helps protect it from keyloggers and other threats.

We recommend enabling MFA for your LastPass vault and, if you have already enabled it, regenerating your MFA shared secrets.