Question from Nancy: I have a big problem Rick, and I really need your help.
I tried logging into LastPass this morning and it wouldn’t let me. Every time I try it says my master password is incorrect even though I know it isn’t.
Do you know of any way I can get it to let me log back in?
I clicked on “Forgot Password” and it asked for my email address. It said I’d get an email that would help me reset my password but I never received it after trying three times.
I searched Google for help and found this Help page:
I tried everything on that page but nothing worked.
I don’t know what do at this point. I don’t want to have to reset my account and start over because I have a lot of passwords in there that I don’t know what they are. This is a real mess.
Please help if you can because LastPass won’t help me at all!
Rick’s answer: I feel terrible for your predicament, Nancy. Unfortunately, this happens a lot and it rarely ends well.
LastPass never helps in these situations, and they explain why in this excerpt from the page you linked to above:
“Why can’t LastPass Support reset the master password for my account?
LastPass Support has no knowledge of a user’s master password. It is not possible for LastPass Support to reset or change a user’s master password if it is forgotten.
All encryption and decryption occurs locally on the user’s device, not on our servers. This means that your sensitive data does not travel over the Internet and never touches our servers. Your data is only transmitted to LastPass once it is encrypted. We don’t have access to your sensitive data, nor could anyone who potentially abuses our systems get access to it. We have zero knowledge of your confidential information, including your master password. For this reason, LastPass Support does not have the ability to reset your master password if it is ever lost or forgotten.“
That means you’re pretty much on your own if the recovery methods LastPass provide fail to work, and unfortunately they fail quite often, as you have discovered.
I wish I had good news for you Nancy, but I’m afraid I just don’t.
At this point the only thing you can do is visit each website that had its password stored in LastPass and try to reset the passwords from there, one by one.
And that brings me to this very important point…
I strongly recommend that you reset those passwords as soon as possible.
Also, if any of the affected accounts are financial in nature you need to contact those companies immediately and let them know that your accounts have potentially been breached.
I have no way of knowing for sure but I have a strong hunch that a scammer has tricked you into handing over your LastPass Master Password via a phishing attempt.
These phishing ploys are very effective and it’s very easy to fall for them without even realizing it.
The reason I believe that’s what happened is because…
1 – The password you know to be correct is not working.
2 – The email address you used with LastPass isn’t receiving the password reset emails.
Those two things taken together strongly indicate that your account was hijacked via a phishing attempt.
Again, I am so very sorry this happened to you. I know it probably isn’t much consolation but you’re certainly not alone.
I receive these types of requests for help on a regular basis, and not just from LastPass users. Every password manager has similar vulnerabilities.
I have written several posts explaining why I never recommend the use of password managers. You will find them right here if you’re interested in reading them, and I recommend that you do before deciding whether to continue using LastPass (or some other password manager).
Bottom line: I am so very sorry that I’m unable to help you, Nancy. I really wish I could but I’m afraid there’s nothing more you can do besides the things you’ve already tried.
Update from Nancy: Thanks, Rick. I knew in my gut that this would be your answer, but I was hoping against hope. Thanks for taking the time to write such a thorough answer.