Changing the password iterations fixed the nagging password change prompt for me, but broke something else. I use the Identities feature and have four different identities. Now, only after changing the password iterations, every time I log back into LastPass, it reverts to "All" identities, even if I was logged in using a specific one previously. Not only that, but the Chrome Extension displays "All" multiple times in the list of identities, so I know it is corrupted. I cleared the extension's local cache, killed all LastPass sessions, and even uninstalled/reinstalled the extension, but the Identities feature is not working right still. I have opened a case for this with LogMeIn. I'll update here with results.
I am getting seriously annoyed with the nagging every time I use Lastpass, if I wanted to be nagged several times daily I would get married.
Please put an option in settings to disable this once and for all.
I should not have to go complete some wildly technical task, a tick box in settings along the lines of "don't nag me to change master password, I know and accept the risks" will suffice.
For the benefit of the well-meaning, but (IMO) misguided LastPass people who added this time-based password nag, I point out that the US National Institutes of Standards and Technology (NIST) has formally concurred with a large number of cybersecurity researchers to say that forcing password changes on a time basis, in the absence of evidence of compromise, is hostile to security. In other words, suggesting people change their LastPass password periodically, in the absence of any indicators of compromise will tend to degrade, not improve, user security. See NIST 800-63-3, part B, section 10.2.1 (https://pages.nist.gov/800-63-3/sp800-63b.html#sec10). There are also interviews out there with the NIST people who came up with the idea of changing passwords periodically back at the time of the first version of 800-63. They've said that it seemed like a good idea at the time, but they had no data one way or another. Now that we have data, it's clear that this was a well-intentioned, but detrimental, security practice.
I read somewhere that the nag was supposed to be used only for business account users and not for personal accounts. That doesn't excuse it, but it ought to be a policy setting that the business can employ.
I had not changed my master password in over 5 years, so at first I thought this nag was OK, but eventually grew annoyed enough to change my master password. Though I must say it was strange that the nag only appeared on one of my two computers.
Does anyone know how long a period elapses before the nag appears?
Side note: I should also mention that when I finally did change my master password, it worked once, but 3 hours later LP told me my new password was not correct. Nor was my old. Nor could I revert to previous (they promise you 30 days to be able to revert). This was MOST disturbing! Since I have a premium account, tech support eventually was able to revert to my previous blob and therefore my old password. A very unpleasant 2 days during which I tried out 1password.
I started work in IT back in 1979, on IBM mainframes. Even then users were forced to regularly change passwords, and even then and ever since, I have maintained it's a completely ludicrous thing to insist upon in the mistaken belief that it enhances security. All it did was keep the admins in charge of resetting passwords permanently busy because people were forever forgetting their recently changed password. People don't spend months attacking a particular user to try and find their password. If yours is easy to guess, or written down somewhere, or whatever, and someone finds what it is, they are in, and it makes no difference whether you changed it last week or last year.
Almost every time I log in, I get notification that I need to change password, because it's quite old.
I don't want to change it, and I will not. My unique password, which is used only for laspass masterpass, contains upper-lower-symbols-numbers and is longer than 50 characters and after all that, I have two-factor auth with mobile number.
I absolutely don't need to change it, so just don't spam me with it everytime I log in...
Agree with you, i also hate this annoying thing. My password contains ~40 characters, also don't want to change it. I would have given up the software a long time ago, but i have a lot of important passwords there and i don't know how to transfer them to another system, don't want to bother. I'm developer and owner of 30 sites like this . Imagine what it would be like if I lose access to them. We have to put up with these shortcomings
See this link for a workaround:
Why should we have to resort to "workarounds" for any well-designed software? I also am concerned that the whole vault opens when you click on the Lastpass icon within a website's login page. This is new and also very annoying. In the past, if you were not already logged into Lastpass and were wanting to log in to a site, you could click on the Lastpass icon attached to the username and password fields on the website's login page, and the Lastpass master password login box would open. At that point you would enter your Lastpass master password, the login credentials would fill in automatically on the website you were accessing, and you would be good to go. Now, the entire vault opens first, and you have to close this down to proceed with your login. Combine this with the nag screen to change your password and the whole thing pretty much blows. I don't think anyone at Lastpass is listening to us which is the most discouraging part of this mess.