If you use LastPass, you have to remember your master password. The company does not know the password and cannot help you reset it.
You can install LastPass as a plugin on your browser and download it as an app for your phone. When you type in a password, it asks if you want to remember it; when you need to recall a password, LastPass offers to fill in the information automatically. It’s a crowded field. Others include 1Password, Keeper and Dashlane. If you forgot your new password try these steps first. If you revert, you will lose sites added since your last master password change. You can also choose to revert email and PBKDF2 key iteration changes. For your security, you must verify that you have access to your email account. As painful as this situation is for you, it’s understandable why LastPass won’t reset a customer’s master password for them. Since you’re unable to prove your identity by entering your registered email address, there’s no way for them to confirm that you’re the real account holder. The news that LastPass network security has been compromised is, of course, a serious issue. That the company being breached was one that provides a password-management service ratchets up the.
It’s part of the reason that LastPass is secure. If bad guys hacked into LastPass and stole all the data, they would get nothing; they wouldn’t be able to reset your password or see your information. The price for that security is that no one in the company can see your data either. It’s a serious and secure solution but the burden is on you: you must not forget the master password.
But let’s be real. It’s a mix of uppercase and lowercase letters, numbers, and symbols; you don’t use it anywhere else, and you’ve set your browser so you don’t have to type it very often. At some point, you might forget.
There are two effective ways to recover or reset a master password, but they have to be set up ahead of time. Your LastPass vault contains vitally important information. It is the modern equivalent of a fireproof safe in the bedroom closet, and probably more important in our 21st century lives than that safe ever was. Take the time now to set up one or both of these ways to recover your master password if it is forgotten.
There are other methods to recover a lost master password. LastPass lists them here. I’m focusing on Mobile Account Recovery because it’s new, easy, and effective, and Emergency Access, which is more of a back door. If you forget your master password and you haven’t set one of these up, then go down the list of other options. In my experience, they can work but the risks go up that things will go sideways and account recovery won’t work, which is sad. Get everything in order before you’re in this position!
LastPass Mobile Account Recovery
Last month LastPass added Mobile Account Recovery to its Android and iOS apps, which allows you to recover access to your account using fingerprint or Face ID authentication.
Install LastPass on your phone and connect it to your account. It might help you recover your account someday, even if you don’t otherwise plan to use it on your phone. (Don’t stop there – keep the app in mind and think about using it on the phone. The mobile app is getting better at filling in login names and passwords on other phone apps, which can be pretty handy.)
Set up the mobile app to unlock with your fingerprint or Face ID (Settings > Security > Enable Touch ID/ Face ID/ Fingerprint Authentication).
Then, in the phone app, enable Mobile Account Recovery (Settings > Security > account recovery).
You’re all set! If you forget your master password, open the phone app and tap on “Forgot password.” You’ll be asked to authenticate your identity with your fingerprint or Face ID and you’ll immediately be prompted to enter a new master password.
Although LastPass hasn’t publicly spoken about the details, it’s obvious that the app is tied into the biometric system on the phone, which is very secure. If you supply your fingerprint or are recognized by Face ID, the chances are very, very high that it is really you and it’s safe to let you reset the password. There are almost no openings for the bad guys to insert themselves.
This is a major step forward for LastPass and sets it ahead of other password managers. Highly recommended for all LastPass users!
LastPass Emergency Access
LastPass Emergency Access provides a safe way for you to give a trusted family member or friend access to your LastPass Vault if you become incapacitated or die. An interesting side effect is that the Emergency Access also gives you a back door into your Vault if you ever forget your master password. It’s not a perfect answer but if the worst happens you could obtain access through the trusted friend’s account and recover the data in your Vault. LastPass calls it an “alternative account recovery feature.”
This costs money! Emergency access is now only available with a LastPass Premium subscription, $36/year and rising. There is more information here about how it works in emergencies. The short description: you give emergency access to a trusted person who also has a LastPass account. In a crisis (say, for example, if you forget your master password) that trusted person can get a copy of your vault.
This is opt-in and optional. You’re trusting the people you choose to allow access and you’re trusting that you will be alert to notifications if they’re trying to gain access at the wrong time. Spouse, parent, child, sibling, friend: you have to trust them not to abuse this privilege and rummage through your passwords while you’re on vacation and out of touch.
I Forgot My Lastpass Master Password List
But if you’re locked out of your account and nothing else works, this gives you one last chance to obtain your LastPass info by working with that trusted friend to gain access to the data instead of losing it forever.
The number one rule of LastPass is: you do not talk about Fight Club.
The number two rule, and perhaps more important in this context, is: you must never forget the master password.
Go set up Mobile Account Recovery, and Emergency Access if you have a Premium account, and protect yourself in case you violate Rule Number Two. (I can’t help you if you violate the first rule.)
Before passwords got complicated, and before the massive data breaches scared the living daylights out of us, LastPass was the perfect app for remembering my login information. It stored all of my passwords on my laptop and recalled them securely whenever I needed them.
Until one day, it didn’t.
That day finally came last week when LastPass surrendered its last password. It turns out I’m far from the only one who’s had a problem with a password manager. But this story is about more than a “free” app giving me what I paid for (nothing). It’s about the changing nature of computer security and what it means for you.
Lastpass Sign In
What is LastPass?
LastPass is a password manager that stores all of your passwords in encrypted form. You can install LastPass as a plugin on your browser and download it as an app for your phone. When you type in a password, it asks if you want to remember it; when you need to recall a password, LastPass offers to fill in the information automatically.
It’s a crowded field. Others include 1Password, Keeper and Dashlane.
Computer users like these programs because they never have to worry about remembering their password. Except for one. In the case of LastPass, if you are using the “free” version, you must remember your master password. If you forget your LastPass login, you lose all of your passwords.
How I lost all of my passwords
And that brings me to my sad tale. At the start of the summer, I made a difficult decision to restrict my daughter’s computer access. She had developed an Anime habit that was keeping her from doing her schoolwork. She’d be up all night watching the latest episode of Dr. Stone or KonoSuba.
In retaliation, my daughter threatened to hack my computer. She waited for me to leave my laptop unattended and then pulled up my LastPass screen. I would return to my laptop to find the LastPass tab active. There’s no evidence that she ever obtained my master password. But it made me far more aware that LastPass login could be a security vulnerability.
I’m not the only one who is worried. Last year, Google warned that LastPass could be hacked by embedding malicious code on a site. Although no passwords were reportedly compromised, the report made many customers uneasy about their passwords.
So last week, I opened my laptop and logged in to the content management system for this site (I am being deliberately vague about some technologies we use because, as you probably know, this site is a favorite target for hackers. The less said, the better.)
LastPass demanded my master password — the key to my entire password vault.
I typed it in.
It didn’t work.
What to do when your LastPass login doesn’t work
LastPass allows you to recover your password in several ways. One of them is to send yourself a hint. I did, but the password still didn’t work. Another one: If you’re still logged in on your browser, you can reset the password. I tried that, too. But while I was updating the password, I encountered an “encryption” error. And then the new password didn’t work, either.
I was locked out.
‘No problem,” I thought. “LastPass is a big company. They’ll have technical support and will be able to help.”
Not really. The page for contacting LastPass just takes you to an online knowledgebase. There’s no chat or email form. I found an email address for LastPass and sent the company a message. I received an autoresponse that asked me to fill out a form on another site.
About two days later, I received this response:
How did LastPass — or LogMeIn, or whatever it wants to be called now — do? Well, I lost all my passwords. How do you think it did?
And who is Daniel?
My LastPass login still doesn’t work
I deleted LastPass — permanently. And not just because of LastPass’s incompetence or the thousands of one-star reviews from users who lost their LastPass logins, too. It isn’t even the small number of Elliott Advocacy readers who have complained to us about their LastPass logins over the years.
It’s that the idea of a “free” internet-based password vault is obsolete. Most of my banking, insurance, and email accounts insist on verifying my identity with additional safeguards like a text message to my cell phone or two-factor authentication. My computer and cellphone use biometrics to verify my identity.
When I did have access to my LastPass account, I remember getting regular warnings about compromised passwords. That’s when there’s a data breach, and someone gets access to one of your username/password combinations. A clever hacker can try that same combination on other sites, often gaining access to personal information.
I’m happy that LastPass stopped working. It happened on a slow Wednesday in August, when I had plenty of time to reset my passwords and store them in a more secure location. I believe the day when we rely on a password to gain access to secure information online is quickly coming to an end. Might as well make the transition sooner than later.
How to keep your passwords safer than LastPass
I’m no computer security expert, but I’ve been giving a lot of thought about ways keep my information safer.
- Switch to a cloud-based keychain
Both Apple and Google offer their own internet-based keychains to store all of your passwords. You can access them with a password or with biometric data. I still use passwords, but each account now gets a different, randomly generated password that gets stored in my keychain and then forgotten.
- Use your phone as a key
Google already allows you to use your phone to verify your login. If you’re looking for even more security, try its Advanced Protection Program, which uses a physical key to keep your information secure.
- Know the limits
Bear in mind that switching to a combination of random passwords, biometrics and physical keys is not foolproof. I’ve written about the security risks of being online. A law enforcement agency could force your internet service provider or email service to hand over your passwords and keep it a secret from you. Or your phone could get intercepted at the airport. If you want guaranteed security, you need an air-gapped computer with 256-bit encryption on all of your files.
- So here’s my advice.
If your LastPass login stops working, don’t bother trying to recover it. Give your passwords a security overhaul and stop entrusting sensitive information to a company that doesn’t care.