I like many, have LastPass. I it recommended changing your master password every so often?
1 Like
Changing your password is old school thinking. There is not really any benefit to changing your password as the likelihood is that you will make the password simpler to remember or you are more likely to forget what you have changed it to.
IMO your lastpass password should be as complex as you can make it while still being able to remember it. You should only change it if you think it has been compromised.
7 Likes
The only benefit to changing your password on occasion is to eliminate the possibility that someone has it that you are unaware of. If you’re using your LastPass in an environment where someone could have learned it, then it might still be good advice to change it on occasion. But if you don’t have this risk, then it’s unlikely that someone is specifically targeting you and your password.
5 Likes
Like the others have said, unless you suspect that the password could have been compromised, there is no need to change it.
A better idea would be to add 2-factor authentication to the account - either a Yubikey or an Authenticator app.
5 Likes
I have only changed my LastPass password twice.
Once when the security check said it was too simple.
The last time was a while back when LastPass was hacked back in 2015, just to be on the safe side.
4 Likes
In June 2017 the NIST released updated guidelines based on proper scientific studies. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf
Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
It’s taken far too long for many organizations to update their policies and guidelines (my parent company’s IT still makes us change our Windows Domain login every 30 days but allows people to simply alternate between two very bad passwords e.g. chevy & truck)
3 Likes
Only change your LastPass master password if LastPass tells you to. If it tells you to change it, it is for good reason (it is duplicated, was found in an online dump, etc…). Other than that, make it nice and long and complex, and leave it alone.
2 Likes
I’m still going through my LastPass account to change all my passwords. Once done, I expect that I will change the master password as well. But, I also use MFA.
2 Likes
Yeah I haven’t changed my last pass in password in a while. Use to be simple, and was duplicated as other passwords I used before. I reset it to a string of word for a three reasons, easy to remember, long, & unlikely for anyone (including those that actually know me) to guess. I’d echo what other said unless you suspect a breach or the security checker is telling you that you should change it, or you used that password elsewhere no need to change it. Honestly, outside of my office, which doesn’t support Lastpass I rarely remember my passwords. I have last pass set up, I put all my passwords in there and a few that my mom keeps for getting of hers. I’ve become a folder whore but I can always find a password when needed lol.