Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

How do I change my LastPass master password?

As I write this, the folks at LastPass recently announced that they saw unexplained traffic on their network and could potentially have seen some of their internal data compromised. It’s important to note that no user accounts have been hacked, and no unencrypted user account information has been compromised.

However, to err on the side of caution, they are recommending that we all change our master passwords.

Here’s how you do that.

Become a Patron of Ask Leo! and go ad-free!

Change your LastPass master password

Go to LastPass.com on the web and click on the log-in link.

Lastpass Login

Log in with your current LastPass password.

Lastpass login screen

After  your vault is displayed, click on Account Settings.

Lastpass vault

It should come up with the “General”  tab selected.  Click on Change Master Password.

Lastpass account settings

Enter your old password, to confirm that you have the authority to make the change, and then enter your new master password twice.

Lastpass password change dialog

I recommend using a multi-word passphrase. Passphrase, because it’s longer which is more secure. Multi-word, because that’s easier to remember. The phrase doesn’t need to make sense; in fact, it’s probably better if it doesn’t, as long as it’s easy for you to remember.

Shortly after making the change, you should receive an email that notifies you that a change was made. This is a security measure that would alert you to a password change that you did not initiate.

Lastpass password change mail

Depending on your settings, and how many other locations in which you have Lastpass in use, you may need to re-login to Lastpass using your new master password.

Podcast audio

Play

18 comments on “How do I change my LastPass master password?”

  1. LastPass sent all users an e-mail that said, “We wanted to alert you that, recently, our team discovered and immediately blocked suspicious activity on our network. No encrypted user vault data [were] taken, however other data, including email addresses and password reminders, was compromised. We are confident that the encryption algorithms we use will sufficiently protect our users.”

    I worked out my master PW over the first 5 of the 10 years I’ve used LastPass. It is so long and cryptic that “HowSecureIsMyPassword.net” says it would take a PC 526 years to figure it out. I have given the PW to only one person, my daughter, in case of my death. I would prefer not to have to figure out AND commit to memory AND give to my daughter another PW. From what I read in their notice, it doesn’t sound like anyone gained access to the passwords, which suggests I don’t need to change it. What am I missing?

    Reply
    • It’s a safety measure, nothing more. I think that with a sufficiently secure password you’re most likely still safe. I changed mine because I’d been meaning to, specifically to make it longer and more secure. Folks with simple passwords may be the most at risk, but even then I don’t think there’s a real risk that’s been identified.

      Reply
  2. In trying to change my LastPass Master Password, I get the following error:

    Google Authenticator authentication required! Upgrade your browser extension so you can enter it.

    Can’t figure it out

    Reply
    • I figured it out. I was using an older LastPass version. I am now using ver 3.1.95. Once I reinstalled LastPass with the new version, all went well.

      Reply
  3. So what then IS considered a safe password. Mine is 21 characters including all lowercase letters and 5 numbers. How would you rate this?

    Reply
  4. Dear Sir ,
    Thank you for guiding how to change my password. I always get difficulty for changing my pass word because first of all I understand little the instructions because I am very new to how to operate my computer I am trying to go & join the computer school very eager to learn computer technology but I find very difficult to remember as I am 70 years old. How can I get a booklet which I can read slowly & follow it please advice me.
    Thanks God Bless you.

    Reply
  5. You say “no user accounts have been hacked, and no unencrypted user account information has been compromised”, but that’s not what LastPass said. They said “No encrypted user vault data was taken, however other data, including email addresses and password reminders, was compromised”. The implication is that they found no evidence of loss of user data, since they do not say their systems properly monitor if something is taken or not. Nor do they say what “compromised” means.

    One potential concern is they and possibly you have vested interests in playing things down. I note your account is less alarming than the one from LastPass. Can you say you have no interest in the matter; perhaps you should say that either way?

    If the vaults were not ‘compromised’, why are they suggesting a change of master password? What do they mean, “to be on the safe side”.

    How could users have an unbiased account of the status of the security of their data?

    Regards,

    Mike

    Reply
    • Not sure what you’re looking for from me. I have no vested interest in LastPass, and if you choose to move to a different system I certainly won’t object. My comments stem from the fact that I believe that, while this is of course serious – any breach is – there’s actually little impact on users of LastPass. By that I mean that you and I are not at any significantly additional risk than we were before the hack. My frustration is that the general technology press likes to make end-of-world headlines and thus overstate the impact (or at least imply that the impact is far greater than it actually is). As a result, people – people that visit Ask Leo! – panic and make ill-conceieved decisions based on inaccurate information.

      The hashes of user’s master passwords were stolen. (https://glossary.askleo.com/hash/) That is NOT NOT NOT the same as actually having the password – which were NOT stolen because LastPass doesn’t store your password – only the hashed value of the password. Having the hash does not allow the hackers to gain access to your LastPass account.

      With one exception: if your master password was WEAK – as in, say, one of the top 1,000,000 most common passwords in general, then **in theory** the hackers could mount some kind of a brute force attempt to determine your passwords. This is still extremely unlikely, given the hashing algorithm that LastPass uses. But since the theory exists, it is easily thwarted by changing your master password. This completely invalidates the hash value the hackers have in their hands. So “to be safe” means doing that, and also making sure at the same time you choose a sufficiently lengthy/complex password when you do it.

      But, like I said, if you don’t feel convinced, then absolutely switch to another password manager. Find one you trust.

      I trust LastPass. Still.

      Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.