Why Should I Use LastPass?

I like my Internet Explorer, Firefox, Google Chrome, or Safari password manager just fine, why should I use yours?

Have you run LastPass.exe yet? It'll likely find passwords on your computer unencrypted, and if we can find them (and help you remove them) any other application could find them too -- it's safer to not keep them on your PC in an unencrypted form. Besides, using LastPass is more convenient in that it helps you pick good passwords, and allows you to share sites between your Mac at home and PC at work too. Also, you never have to deal with losing your passwords if you lose your computer. Ever waited for a site to send you a lost password? Make that a thing of the past. Also IE, Firefox, Google Chrome, and Safari do not have advanced features like multiple-identity form fill. Do you use multiple computers? Ever have to access your accounts from the road? LastPass makes these things easy and secure.

What makes you better than ...?

  LastPass allows you to stay synchronized; you'll have access to all your sites and can add new passwords that'll be available on all your computers
  LastPass catches and supports far more logins than Internet Explorer, Firefox, Google Chrome, or Safari can
  LastPass has Internet Explorer, Firefox (for Windows/Mac/Linux), Safari (for Mac/Windows), and Google Chrome versions, as well as a website implementation
  The website implementation allows you to get access to your data on the road
  LastPass Pocket allows you to access your data on your USB drive, Firefox Portable, Google Chrome Portable, and for premium users, IE Anywhere support for browsing from your USB drive
  We only support keeping the encryption done on your computer so LastPass can't see your sensitive data
  LastPass has a Form Fill feature which will save you time; it encrypts your sensitive data locally and available on the website
  LastPass is far more convenient than existing site information storage programs available
  LastPass has gone to great lengths to protect your privacy
  Unlike solutions like OpenID and Microsoft Passport, LastPass works within the way the web works today without relying on others or adoption of a new standard that won't be practical for years, if ever
  LastPass is completely free for standard use

What happens when LastPass.com is down? Can I still login?

Yes, if you're using the plug-ins. When you login to the Internet Explorer, Firefox, Google Chrome, or Safari plug-in, LastPass downloads and stores your encrypted data. If we're offline you're still able to login in offline mode, but you'll be unable to add or change sites while LastPass is off the air. You still will be able to export your accounts if you're running the plug-in. We have 2 data centers and a lot of experience running web applications so this should be a rare occurrence.

I want to try this, but what if I don't like it?

We're explicit in everything we do during the install process, and back out everything in the uninstall process except for one thing: deletion of passwords from legacy password managers. You can tell the LastPass installer not to delete the imported passwords, and rerun the installer later to clean them up once you're comfortable. If you use Internet Explorer or Firefox you can also re-export your passwords back into Internet Explorer or Firefox at any time. You may want to delete your account as well, see: Delete account

Technical Support

Help! I forgot my password!

Please try Account Recovery.

Help! The LastPass toolbar button does not appear in my browser!

Try right clicking on your browser's toolbar and making sure that 'LastPass Toolbar' is present and that it is checked. If it is not present, then try reinstalling LastPass. If reinstalling does not work, and you are using Firefox, then try disabling all other add-ons and themes (in particular, HP Smart Web Printing is known to cause problems), or reinstalling the LastPass Firefox Extension, or reinstalling Firefox itself.

If using Google Chrome, click on the wrench icon and then Extensions menu item and verify that LastPass is listed and enabled. If it is not, please install from http://lastpass.com.

Help! Some or all of my sites are gone!

You've setup an identity with a limited number of sites and have forgotten that you're in that identity. Go to your vault page and select the All identity.

Help! LastPass install fails saying it can not write to a directory!

Make sure you are logged in to Windows as a system administrator. Also, right click on the install directory and select 'Properties' and make sure that both 'hidden' and 'read-only' properties are unchecked.

Help! I'm being logged out of LastPass every time I close my browser!

This is mostly likely caused by your browser or another application clearing cookies, blocking cookies, or not allowing cookies to survive past browser restarts. Please see this page to confirm this diagnosis.

Why are you taking up a whole line in IE?

In most cases, the LastPass plug-in takes up virtually no extra space in your browser window. It usually fits nicely in a corner of your existing menu. Unfortunately, some other plug-ins (most notably, the Google toolbar) reposition all other installed toolbars so they end up on their own line. If you are running the Google Toolbar, you'll need to import this registry file to resolve it, we can't see any lost functionality after doing it: DisableGoogleBHO.reg. (If you are having issues downloading this file, then try downloading DisableGoogleBHO.rename instead and rename it to be DisableGoogleBHO.reg). Also if you've disabled all the other toolbars (Menu Bar and Favorites) we might take up a whole line. You might prefer the non-compact toolbar if that's the case (LastPass Icon -> Preferences). Also if you're unable to drag the icon right click and make sure 'Lock the Toolbar' is not set. It should also be noted that if you do not have the 'Menu' toolbar and you don't have the 'Links or Favorites' toolbars there are no toolbars left for LastPass to share the row with. LastPass has a command bar button (lives with Home, Feeds, Print, etc.) toolbar mode for this case.

What happens if I accidentally delete a site?

Your site is still available via 'Show Deleted Sites' on LastPass.com for 30 days and can be restored. You can also reach this page via the LastPass Vault -> More -> Show Deleted Sites link. If you want to be sure a site is purged immediately you can also use this page.

Security & Safety

Can you help me pick a strong LastPass master password?

Please see this page.

If someone steals my LastPass master password, then can't they steal my identity?

This is the same risk you have with your email account: it's simple to use the forgot password link on websites. It's also much more difficult for a hacker to obtain your LastPass master password because unlike email, with LastPass your LastPass password never leaves the PC you're using. That being said if you pick a poor password or are not careful with your LastPass master password it could be more dangerous. Our hope is that if you have a single password you're likely to protect it better and change it more often.

How can I login and get access to my data from any computer? How can this be safe?

Whenever you setup/edit/add sites/notes your sensitive data is encrypted locally on your computer then the data is sent to LastPass. When you go to a cyber-cafe or a new computer and login, first a hash is made locally to check if your account exists and your password is correct. If it is, then your data is downloaded and decrypted on the local computer you're using; this includes LastPass.com where it's done using JavaScript (that's why there is a delay when you first login).

What are phishing scams and what steps can I take to protect myself against them?

Please see this page for more information.

What if someone steals your servers?

Your sensitive data is encrypted with your key that LastPass doesn't have, so it can't be taken. The only pieces of sensitive information that we have, is your password hint (server side encrypted) and email address. We will notify users via the email address you provided at sign-up and post on our blog as a precautionary measure but we won't need to recommend that you change your passwords as all your sensitive data is encrypted. LastPass has two active data centers so the website and service will still be available. Even if all our data-centers went down, you still will be able to login to your accounts via the plug-ins while we recover.

What encryption is being used?

AES utilizing 256-bit keys.AES-256 is accepted by the US Government for protecting TOP SECRET data. AES is implemented in JavaScript for the LastPass.com website, and in C++ for speed in the Internet Explorer and Firefox plug-ins. This is important because your sensitive data is always encrypted and decrypted locally on your computer before being synchronized. Your master password never leaves your computer and your key never leaves your computer. No one at LastPass (or anywhere else) can decrypt your data without you giving up your password (we will never ask you for it). Your key is created by taking a SHA-256 hash of your password. When you login, we make a hash of your username concatenated with your password, and that hash is what's sent to verify if you can download your encrypted data.

I'm worried that there might be a key logger on this PC, can you help?

If you click on the 'Show Keyboard' link on the LastPass.com homepage you'll be able to login without using the keyboard. This will also log you into the plug-in if you have it installed.

Do you use a salted hash for login purposes?

Yes, we first do a 'salt' of your LastPass password with your username on the client side (on your computer, LastPass never gets your password), then server side we pull a second 256 bit random hex-hash salt from the database, use that to make a salted hash which is compared to what's stored in the database. This is beyond overkill but we want to store nothing that can even theoretically be used to do a dictionary attack against password hashes if LastPass' servers were somehow compromised. We hope having nothing of value makes us less of a target, and that by taking every conceivable caution we can think of makes you more safe.

How can I inspect the network traffic that goes to LastPass?

The vast majority of the data is encrypted, then sent over SSL, but if you want to satisfy your curiosity about what goes over https you might want to try Fiddler2 for IE, and Tamper Data for Firefox.

How do you handle dictionary attacks for my LastPass.com account?

We store a record of each login failure, and if a certain IP passes a threshold of failures we start doing 5 minute lockouts. We also have a global lockout threshold if someone distributed an attack against your account. This does not impact you logging into your local cached copy.

Has your software been verified by an independent 3rd party?

3rd party verification is on our road-map. Members of Mozilla Corporations' Firefox Add Ons team have reviewed some parts of our Firefox code base and individual end-users have carried out their own external audit of our software to verify that it does what it purports to do. Namely:

  Confidential data in your vault is encrypted before it is sent to LastPass
  Encryption is performed using your LastPass Master password
  Your LastPass Master password and encryption key generated from it never leaves your computer - so you are the only person who can decrypt your data

How do the bookmarklets work?

Bookmarklets have a random number embedded in them that is generated locally using JavaScript, and then that number is embedded into the bookmarklet's code (also with Javascript).

A hash is then created of that (which is also salted with your username) and sent to LastPass as a way to grab an encrypted copy of your key (encrypted with the locally created random number). Your actual key can then be decrypted from a login session with LastPass.com + the local 256-bit random number. This allows LastPass to offer this functionality while staying true to the privacy statement of never having access to your sensitive data.

This bookmarklet should be somewhat protected - never send it to LastPass - if combined with a LastPass login session it gets your key, so for security purposes we provide a way to 'recreate' your bookmarklet, which throws away the encrypted copy of your key and recreates it with a new random number (invaliding all existing bookmarklets).

Where is the local copy of my data stored? Can I back it up?

  Windows Internet Explorer, Firefox: %AppData%\LocalLow\LastPass\ or %AppData%\..\Local Settings\Application Data\LastPass\
  Windows Google Chrome: %AppData%\Local\Google\Chrome\User Data\Default\databases\chrome-extension_hdokiejnpimakedhajhdlcegeplioahd_0\
  Windows Safari: %AppData%\Local\Apple Computer\Safari\Databases\safari-extension_com.lastpass.lpsafariextension-n24rep3bmn_0\

  OS X Safari, Firefox: ~/Library/Application Support/LastPass/
  OS X Google Chrome: ~/Application Support/Google/Chrome/Default/databases/chrome-extension_hdokiejnpimakedhajhdlcegeplioahd_0/


  Linux Firefox: ~/.lastpass/
  Linux Google Chrome: ~/.config/google-chrome/Default/databases/chrome-extension_hdokiejnpimakedhajhdlcegeplioahd_0/


  Firefox on other platforms utilizes the Firefox profile directory.
You can back these directories up and they will contain the latest copy of your data. Be aware that on Windows, Protected Storage is used to additionally encrypt your data so you'll need to ensure that your Windows profile is also backed up. Your data is also backed up at LastPass.com, and a copy is on any other device or computer you use so this isn't required

How Do I...

How should I best add my accounts to LastPass?

We highly recommend that you use LastPass.exe to capture and remove accounts on every machine you own, and use the plug-ins to add your accounts by doing a normal login session while logged in. One last pass (pun intended) through your accounts and you're setup forever. We don't recommend the website to add accounts because it's far less intuitive.

How do I logoff

If you're logged into the website only (e.g. using a currently unsupported browser, or without the plug-in installed), you can just close the window. If you're logged into the toolbar, click the LastPass icon, then choose Logoff.

Can I get an export of all my usernames/passwords?

Yes, there is an Export icon when you login to LastPass.com, and in the 'Tools' section of the plug-in. We need to locally decrypt your data. If you don't have the plug-in you will have to copy and paste this data into a text file with the extension '.csv'. This is a 'Comma Separated Values' file which Excel can then read. You can export without an Internet connection if you use the plug-ins. You can also use LastPass Pocket to doubly ensure you always have access to your data.

I like to open a few sites and login every day, can you help?

Yes, if you go into edit from the plug-ins (Right click on the site), or hit 'Edit' from LastPass.com, you can setup sites to be 'Favorites', which will allow you to hit the 'Open Favorites' button on the toolbar and login to all your favorite sites. This is commonly used to open your web based email, your bank account, and your work sites. You can do something similar by assigning a group to sites you want to open all together as well.

Can LastPass automatically logoff?

Yes, by default your account is created with a two-week session life for the Internet Explorer, Firefox, Google Chrome, and Safari plug-ins for your convenience. If you close the website and you don't have the plug-in installed then your session is over. There are 2 settings you might wish to consider: The Internet Explorer, Firefox, Google Chrome, and Safari plug-ins have a Tools -> Preferences menu, where you can set your account to auto-logoff. Some people like to setup auto-logoff at work, but leave it off at home. You can also shorten your auto-logoff timeout or Bookmarklet timeout via the 'Settings' icon when you login to LastPass.com, which applies to the website.

How do I change my email/password?

You must login to LastPass from the website. Then go to Settings and you can change your email or password (you'll be prompted for your current password after entering your new one). From the extension, you can go to LastPass -> My LastPass Vault, and then More -> Change Password. LastPass can NOT change your email or password for you.

How do I permanently delete my LastPass account?

Go to the Delete Your Account page and follow the directions. As the web page mentions, please be sure to export and save all of your data before deleting your account as this operation is not reversible. If you also can't remember your password you'll have to use Delete account no password which will have to first send you a confirmation email.

You should also uninstall the software:

  Go to Start -> Program Files -> LastPass -> Uninstall LastPass.
  If you only installed the Firefox extension (including on a Mac), go to Firefox -> Tools -> Add-ons -> LastPass -> Uninstall.
  To uninstall the Google Chrome extension, go to Google Chrome -> Wrench -> Extensions and click the Uninstall link next to LastPass for Google Chrome.
  To uninstall the Safari for Mac OS X extension, go to Safari -> LastPass button -> Tools -> Uninstall LastPass. You may also re-download the Safari installer which has an uninstall application.
  To uninstall the Safari for Windows extension, go to Safari -> Edit -> Preferences -> Extensions -> LastPass -> Uninstall.

I've made a change on another computer, how can I make changes show up immediately?

If you have polling enabled (it is by default), it should automatically update your data the next time it polls. If you disabled polling or want the change to be reflected immediately, hit the LastPass Icon in your browser -> Tools -> Refresh Sites.

How can I add account logins that are spread across multiple login steps?

We recommend using the Save All Entered Data feature on each step of the multi-step login. For each step, first enter your data on each page, then before submitting, use LastPass -> Save All Entered Data.

How do I re-enable auto-completion of passwords in Internet Explorer, Firefox, or Google Chrome?

  For Internet Explorer : Tools->Internet Options->Content->Autocomplete Settings button->Prompt me to save passwords - should be checked, then click Apply and restart the browser
  For Firefox : Tools->Security->Remember Passwords For Sites - should be checked, then click OK and restart the browser
  For Google Chrome : Wrench->Options->Personal Stuff->Offer to save passwords - should be checked, then click Close and restart the browser
NOTE: On Windows, uninstallation of the LastPass Installer/Importer will also return your settings to how they were prior to installing LastPass, and you can re-import your passwords back into Internet Explorer and Firefox at any time.

How can I change the language/locale used by LastPass?

LastPass Icon -> Preferences -> Advanced -> Language, for the Windows installer you can re-choose your language by first uninstalling LastPass

How can I use LastPass from my USB drive on other people's computers without installing?

The download page has instructions for setting up portable Firefox, portable Google Chrome, LastPass Pocket, or as a premium feature, IE Anywhere. You'll want to create your account through the installer or the homepage before doing this. You can also always access your data by going to LastPass.com on any computer.

Can I specify certain domains as equivalent?

At times, you might find adding a domain equivalency to be helpful, such as when a site's login box is in an IFRAME on another domain. To do this, from the extension, go to LastPass -> My LastPass Vault, and then Account Settings. From there, choose the Equivalent Domains tab. This also allows you to delete globally equivalent domains.

I want to match a site saved with Save All Entered Data to multiple URLs.

By default, sites saved with Save All Entered Data are limited to a single URL, such as https://lastpass.com/login.php. However, you may sometimes want it to match multiple URLs. One example could be when a site embeds a session ID in a URL, for example https://lastpass.com/0D6441FEA4496C2/login.php. In this case, you might want to edit the site's URL and make it https://lastpass.com/*/login.php. The asterisk (*) will allow any text string to match where it is placed.

How do I confirm that I am running the latest version of LastPass?

Most LastPass browser extensions and applications try to detect if a newer version is available and prompt you if you would like to automatically update. If you are not prompted or if automatic update fails, then you can manually update your version by downloading and reinstalling the latest version from our website. To determine the current version of your LastPass browser extension, click on the red LastPass browser toolbar button -> Tools -> About.

How do I add new groups to my Vault?

When adding and editing sites, you can type any group name into the group input. If that group does not already exist, it will be created.

When Will You ...

When will you support Palm Pre?

A webOS beta is now available. Please click here for more details.

When will you support a browser extension for Opera?

We can not create a native extension for Opera until they support browser extension - see this post for details. Until then, you can install the LastPass Bookmarklets or use the LastPass.com website to access your data.

When will you support Safari using Snow Leopard (Mac OS X 10.6.x)?

Support for Safari using Snow Leopard (Mac OS X 10.6.x) is already available. Please download the LastPass browser extension for Safari.

When will you support Safari for Microsoft Windows?

Support for Safari for Microsoft Windows is already available. Please download the LastPass browser extension for Safari.

When will you support OpenID?

We have coded up what's necessary to support OpenID both as an 'identify provider' and as a 'relying party', but as part of that process and the testing process we've concluded that it's not user friendly nor safe enough for our users at this time due to phishing issues, and disabled it.

When will you translate LastPass into my language?

We rely on volunteers to help make LastPass available for free for non-English speakers. Click here to learn how you can help translate LastPass into your language.

Where is the mobile version?

LastPass for iPhone, BlackBerry, Windows Mobile, Android, Symbian S60, and Palm webOS are available. LastPass also has m.lastpass.com as a stop-gap until native clients can be built for popular mobile platforms

Multifactor Authentication

What is a YubiKey, how do I get one, and how does it help protect my LastPass vault?

A YubiKey is a key-sized device that you can plug into your PC's USB slot to provide multifactor authentication when accessing your LastPass vault. To learn more, please watch the following screencasts:
   How to use LastPass with a YubiKey
   How using a YubiKey makes LastPass safer
. If you wish to purchase one, please visit Yubico.com.

What is LastPass Sesame and how does it help protect my LastPass vault?

LastPass Sesame is a portable cross platform application that can be placed on any USB thumb drive allowing you to use the thumb drive as a multifactor authentication device when accessing your LastPass vault. To learn more, please watch the following screencast: How to use LastPass Sesame. LastPass Sesame is available for free to all premium subscribers and can be downloaded from here.

What are the feature differences between LastPass Sesame and a YubiKey?

- Both provide multifactor authentication
- LastPass Sesame is free and can be placed on one of your existing USB thumb drives while a YubiKey costs $25
- LastPass Sesame can be configured to automatically show the LastPass login dialog when your USB drive is inserted
- A YubiKey can be used with other non-LastPass related services
- With YubiKey, your offline password is sent via keystrokes on every login. With Sesame, your offline password is not used if you are connected to the Internet
- A YubiKey is a read-only device that can not be easily copied whereas the Sesame OTP generation credentials can be copied by copying the contents of the USB thumb drive Sesame has been installed on.

Business

Why are you giving LastPass away for free?

Our goal in building LastPass is to fundamentally change the ease of use and security for every single Internet user in the world. We feel we are on a path to achieving this goal and are compelled to not exclude our technology advancements from those who might be economically disadvantaged. For these reasons, we rely on a freemium business model: all basic features of LastPass are completely free, but advanced features such as mobile phone support are part of LastPass Premium which can be purchased for a modest fee of $1 per month. If you derive benefit from using LastPass and can afford the payment, then sign up for LastPass premium today and help us change the world.

How are you going to make money?

We come from the enterprise software as a service space, so we're leaning towards that market. We're also contemplating some non-obtrusive advertising on LastPass.com (similar to Gmail). We will not pull the rug out from any of our existing user-base, and we will not do anything that harms our reputation or brand.

If I put all my passwords in this system what happens if you disappear?

As long as you have logged into the plug-ins you would be able to export all your passwords, even with LastPass completely gone (see exporting below). LastPass Pocket is also offered for backup access on your USB/portable drive. You can also re-import your passwords back into Internet Explorer and Firefox. That being said, we're spread across 2 data centers, 2 countries, and have 4 people who can each run the service individually and have no plans of going anywhere.