On August 25, 2022, LastPass announced that they have been investigating "unusual activity" within parts of its developer environment.  During this investigation, they concluded no accounts were compromised.  As a password management company, it is in their best interest to protect their users' private information, but you need to make sure your account is set up as recommended by LastPass.

To ensure you are fully protected in LastPass, please be sure to follow the setup instructions below.  This setup includes multifactor authentication, which should be used wherever it is offered to protect your accounts from cybercriminals.  If you’re using LastPass for UVA passwords, multi-factor authentication is a critical component of a strong cybersecurity strategy in the face of rising ransomware attacks.  

LastPass Account Setup Best Practices to Protect Your Account

The recommendations are listed below.  If you have any questions regarding the setup of your LastPass account please review UVA's LastPass information page.

1. Download the app. -  You can download the LastPass app on your iOS or Android device from either the Apple App Store or Google Play Store in just a few touches.   We recommend using LastPass on both mobile and desktop, so make sure to also download the LastPass browser extension on Safari, Chrome, and Firefox. The browser extension prompts you to save passwords to your LastPass vault, generate new passwords, and autofill login information seamlessly. 
    
2. Use your master password to login. - Your master password is the last password you’ll ever need when using LastPass, so make sure it’s unique. That means never (and we mean never) reusing it.   Whether you’re already a password pro or need some guidance on creating strong credentials, it’s always good to take stock of what makes a master password difficult to crack.   

• A minimum of 12 characters (the longer the better!)  
• Upper case, lower case, numeric, and special character values  
• A random, memorable passphrase (but one that’s not easily guessed)  
• No personal information (pet names, street addresses, family names)  

3. Set up multi factor authentication (MFA). - LastPass Authenticator offers an adaptive authentication experience while adding an extra layer of security. The LastPass Authenticator app can be downloaded onto your new iOS or Android device.  Multi-factor authentication combines biometric and contextual factors to prove your identity – something you know (a password), something you have (a mobile device), and something you are (a biometric).   If you’d like to take authentication a step further, you can set up passwordless login to your vault with the Authenticator. No need for your master password again, unless for account-related changes.

   Pair your new device to your LastPass account by logging into your LastPass account, select I have a new phone > Send me a recovery email and follow the subsequent prompts. You’ll be sent an authentication registration email to pair your LastPass account with your new device.  
    

4. Update your trusted devices. - If you’re the only person using this new device and have good password hygiene, you can update your account settings to trust this device. When prompted by MFA after logging in, you can select this as a trusted device for the next 30 days.   Make sure to take stock of all your trusted devices. If there’s one that’s out of commission, make sure to delete it from your list of Trusted Devices.   

You’re LastPass ready!

Made it all the way to step four? You’re now secure with LastPass!  

Keep exploring your LastPass vault to ensure all your credentials are accounted for; that you’ve set up Emergency Access by adding another active LastPass user; and that Dark Web Monitoring is turned on so you can stay ahead of breaches.   

Learn more about all that LastPass has to offer to take your security – whether personal or professional – to the next level.   

LastPass is an application that safely manages passwords for users.  UVA supports the use of LastPass for storing passwords but we do not support using the application to store highly sensitive data as this violates the University data protection standards and policies.