LastPass Security

Add to browser.

Click Add extension above − it takes less than a minute to download!

Add to browserCreate Account

You're almost done.

Next, click the LastPass browser button above to create your account or log in.

Add to browserCreate Account
Log in and access LastPass using the browser icon.

Add to Firefox.

Click "Allow" then "Install" above. The installation takes
less than a minute! Next, you'll create your account, or log in if you already have one.

Step 1.

Click "Allow"

Step 2.

Click "Install" and LastPass will be installed in under a minute.

Step 3.

Create your account.

We Value Your Concerns

Our business is keeping customer information both private and secure.

We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at LastPass. Every day new security issues and attack vectors are created. LastPass strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We also work with highly talented members of the LastPass community who offer their expertise to help improve the product for everyone.

If you have discovered a potential security issue with any of our products, we kindly ask you to let us know as soon as possible.

How To Report Security Issues

When reporting potential issues, please try to be as thorough as possible providing us enough information so that we can recreate your findings. Make sure you include a code sample and screencast that clearly demonstrates the exploit you have found. If you are using automated tools to find vulnerabilities, please be aware that these tools always report false positives. Most times, it's insufficient to simply find the vulnerability and point us to an FAQ on the subject: you should show us how it can be used to impact user data or our systems. As an example, if you find a clickjacking vulnerability please clearly show us what end user sensitive action the end user can be tricked into performing.

1. Read the LastPass Security FAQs
Read the LastPass Security FAQs to make sure your concern hasn't already been addressed.

2. Submit a new support ticket.
Be sure to select 'I Want To: Report a security vulnerability'.
We'll respond back to you within the support ticket unless the issue is of a sensitive or urgent nature, in which case we'll email you directly. Please give us 48-72 hours to review your issue in depth.

3. If the information is sensitive, please encrypt it accordingly with the following public key:

Version: GnuPG v1.4.12 (GNU/Linux)


What Happens After I Submit a Security Concern?

Once you have submitted a security concern, here's what we promise to do on our end:
  1. We'll immediately take steps to identify if the concern is a legitimate issue and determine its severity.
  2. If we require more information, we'll contact you directly. Otherwise, we'll try to fix the issue potentially with your assistance. While fixing the issue will generally be completely in short order, deploying the fix to affected customers will be done based on the issue's severity.
  3. Once the issue is fully resolved to both your and our satisfaction, we'll thank you for your discovery.

LastPass Security FAQs

I have LastPass multifactor authentication enabled but LastPass filled my credentials into a site before I entered my multifactor token. Is this a security issue?
To validate your multifactor token, multifactor authentication requires that you have an Internet connection: if you do not pass us a correct multifactor token, LastPass will never release your encrypted data. However, LastPass also has an 'offline mode': it keeps a locally cached encrypted copy of your data on your local device so that you'll still be able to access your data even in the event that you do not have Internet access. When you log in to LastPass we first log you in offline to the locally cached copy of your data and then try to log you in online. As a result, you might experience cases where LastPass fills in credentials before you provide us your LastPass multifactor token. If you want to prevent this behavior, you can take the following steps:
  1. Log into LastPass
  2. Browser - LastPass Icon - Tools - Clear local cache
  3. Logoff LastPass
Click here for more information.

My Anti-virus Program Has Warned Me that LastPass Is a Virus/Trojan/Suspicious - Should I Be Concerned?
Most modern anti-virus programs today rely on a trust network to determine if a file represents a threat. As a result, despite signing all executable files we distribute using a digital certificate, every time we release a new version of our software it typically results in anti-virus programs flagging it as suspicious until it is distributed to thousands of users and/or until end users update their virus definitions. If you encounter this issue, the please follow the following steps:
  1. Re-download the problematic files from the LastPass Download page.
  2. Upload the suspicious files to Virus Total, a service that will analyze the files using dozens of the industry's top anti-virus engines. Unless the results indicate that several top anti-virus engines believe the files to be infected, it likely they are safe.
  3. Right click on the files and select 'Properties' from the context-menu, and then choose the 'Digital Signatures' tab. Make sure the files have a valid digital signature and have been signed by 'LastPass' and if necessary, view the certificate. This will assure you that the files were created by LastPass and have not been modified by a rogue 3rd party.
  4. If after the above steps you still believe that files are infected or were not created by LastPass, then please contact us at

Someone has shared a site with me and left 'Allow Recipient to View Password' unchecked, but I found a way to view the password.
As soon as a password leaves LastPass and gets filled as credentials in a browser, we can no longer protect it. As such, if a user uses LastPass to enter a shared password in, say, Google Chrome -- we can no longer guarantee its safety. It might be compromised by the browser, by a virus, or by the network, or even by the end website they are being sent to. This is also mentioned in our documentation. The idea to use LastPass to protect shared credentials is much more broad: if you use LastPass to share passwords with employees or friends, and thereafter revoke the credentials, LastPass gives you the ability to thereafter quickly and easily update that password. So while we can't protect shared credentials fully outside LastPass (because our reach does not extend to or past the browser), we can help secure them by allowing you to change them quickly and then have that change automatically propagate to everyone else you shared with.

LastPass Security Researchers

Click here to view a list of security researchers and companies that have contacted us directly to work with us to fix security flaws safely.

Thank You

LastPass in indebted to the following security researchers and companies that have helped report, improve, or resolve security related issues.

We are especially appreciative that they have contacted us directly to work with us to fix security flaws safely. Their talent deserves to be recognized and applauded:

There have also been other unnamed LastPass users and community members who have helped improve and refine our security model.