It happened to me. The steps I took, the mistake I made, and what I had at risk.
On a recent trip, I arrived at my hotel, set up my laptop, and was working along when I needed to sign in to my LastPass vault. After entering my ID and master password, I was greeted by a message saying I needed to check my email for a message confirming that it was really me.
Fine. No problem. Extra security is good.
Except the message never came.
Here’s what happened next.
Become a Patron of Ask Leo! and go ad-free!
I couldn’t sign in to my password vault due to an email that appeared not to arrive — but realized I had several other ways to access the information and accounts in my vault. After reaching out to LastPass support, they quickly reminded me of a security setting I’d overlooked that would have allowed me back in instantly. The experience reinforces the security of using a good password vault like LastPass.
Before we proceed
I want to be clear that LastPass did almost everything right. I have one suggestion for a minor improvement on their part, which I’ll mention below, but the reasoning behind the additional security is sound (I was signing in from a new location).
When you think about it, extra security on the part of providers like LastPass only makes sense. A minor annoyance, like an extra step to confirm you are who you are, is small compared to the disaster that might result should the wrong person be granted access.
You just have to do your part by having up-to-date security information.
That’s where I stumbled slightly.
It was never going to be a disaster
Not being able to sign in to my LastPass account on my laptop seems like it might be a huge problem.
It wasn’t. It was, at worst, an annoyance. I didn’t “lose” anything, and I certainly didn’t lose access to any of my accounts.
There were three ways I was covered, no matter what happened.
- LastPass on my phone. This is how I solved my immediate need. I opened LastPass, viewed the password for the site I was attempting to access, and carefully entered it on my laptop. Naturally, since my passwords are long and complex (example: “beKqRCS9UM6Wac5ffkBD”), this was a slow process, but it worked.1
- I have backups. I didn’t need this, but it was an option. I back up my LastPass vault more or less monthly, and had done so just a week or so prior to my trip. With remote access to my systems at home, I could, if needed, transfer the backup to my laptop and extract whatever passwords or account credentials I needed. The backup itself is manually encrypted2 and secure.
- Password recovery. Even if I lost access to the vault entirely and had been unable to access my backups, I still would not be locked out of anything. I can do a password/account recovery on those accounts to which I need immediate access. They all have current recovery information using alternate email accounts, phone numbers, or backup codes I had access to should I need them.
So, as you can see, losing access to my vault would be — at worst — an inconvenience.
With that knowledge, I relaxed and got my work done.
Then I reached out to LastPass.
I decided to reach out via Twitter. They responded with a request I direct-message them my account email address so they could look into it. The next day, I had received a more detailed response.
I’ve had LastPass for a long time, and honestly, I don’t recall ever having set up a security email. “No email from LastPass?” in the initial email might have clued me in to look elsewhere, but it didn’t occur to me.
And yet . . . I started checking some of my lesser-used accounts, and sure enough, there it was: the email I’d been missing.
A pretty standard “verify a new location” request. Good security, as long as you remember that the message might be sent to the security email and not the primary account email. (And, of course, you remember that you have a security email configured.)
Again, this makes total sense. Had this been a malicious login attempt, it would imply that someone knew my master password. It might also imply that the email address used for my login could also have been compromised, or was at least at somewhat higher risk, so sending a verification email to the security email address makes sense.
The only change I’d suggest on LastPass’s part? Include some indication in the initial notification that the security email address might be used. That would have saved me from this entire scenario.
A change I’ve made since
Everything worked as it was supposed to. The only issue was that I didn’t remember that there was an “alternate” or security email address associated with the account, and remember to check that account.
Since the time I apparently set that up, I’ve started using a different email address at a different provider for my recovery emails for other accounts. This recovery email doesn’t rely on any of my other email infrastructure.3 More pragmatically, it has a mobile app and I have notifications turned on, so I would have immediately noticed that email had arrived at that account.
I’ve since updated my LastPass security email to use that same recovery address.
An indictment of password vaults — not
This isn’t an indictment of LastPass or password vaults in general. In fact, just the opposite: it shows just how protected you really are when strong security measures are in place. Using a password vault remains more secure than any other alternative I’m aware of — any other alternative.
You do, however, need to take responsibility for the security and recovery options associated with the account.
And (*cough*) not forget that you’ve set them up.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Footnotes & References
1: After a couple of tries, I ended up doing what amounts to a secure copy/paste instead, using a text file, DropBox, and BoxCryptor on both the phone and laptop to avoid the re-typing. BoxCryptor is what kept the text file secure from prying eyes.
3: Yes, I have “email infrastructure”. The best example is that all email is routed through my own servers. The recovery email address I’m now using doesn’t, just in case there’s a problem with my servers or other infrastructure. Clearly, that’s not a problem “normal” people will have.