How to change your LastPass password in wake of site hack

RV_ · June 19, 2015

If any of you use LastPass for your password safe you likely already know it has been compromised. Here is a step by step checklist to change your password if you forgot how.

Excerpt:

"LastPass users are advised to change their master password in the wake of a recent hack attack, especially if that master password is weaker than it should be.

On Monday, LastPass disclosed that it was the victim of a hack that compromised email addresses, password reminders and other information. However, the hackers were not able to access the actual accounts where users store their website passwords, the company said. LastPass uses encryption to secure passwords so they can only be read on your indivdual Web browser.

As a password manager, LastPass can generate passwords for each of the protected websites you use. Plugged in your browser, the software can then automatically fill in the proper password for each site, saving you the effort of having to remember and manually enter the password for the scores of sites you potentially use.

To protect and access all your passwords, LastPass requires you to set up a single master password. But what if someone obtains that master password? Though the master passwords themselves are secured with a high level of encryption and were untouched in the data breach, the hackers gained access to the clues, or reminders, used to remember those passwords. As such, the right clue could help a hacker potentially guess your master password, especially if you've used one that's particularly easy to guess.

"If you've used a weak, dictionary-based master password (eg: robert1, mustang, 123456799, password1!), or if you used your master password as the password for other websites you need to update it," LastPass CEO Joe Siegrist said in a blog post Monday.

Okay, so how do you change your master password, and are there further steps you can take to lock down your account? Let's tackle that first question."

The steps and more are in the article here: http://www.cnet.com/how-to/how-to-change-your-lastpass-password-in-wake-of-site-hack/?tag=nl.e214&s_cid=e214&ttag=e214&ftag=CAD3c77551

docj · June 19, 2015

One thing I did after changing my LastPass master password yesterday was to start using the multi-factor login system that is available to LastPass users (with both free and paid accounts). I'm using the Google Authenticator app on my smartphone to provide a 8-digit pseudo-random code which has to be entered anytime I log into my LastPass (or Google) accounts. My personal laptop has been designated a "trusted" computer so I don't have to enter the code when using it, but it is needed if I were to login from any other device.

That means that anyone trying to access my account would also need the codes which are only available on my phone. In my possession I also have 10 one-time codes in case I need to access my account from another computer and don't have access to my phone. Additional backup codes can be generated if these were to be used up.

I had put off using this multi-factor system, but now that I have it installed it gives me far greater peace of mind. Since my laptop has been exempted from the requirement (although it doesn't have to be) there is no inconvenience to me by having it in place.

RV_ · June 19, 2015

Sounds prudent Joel. Thanks for the feedback on the rest of the prophylaxis.

Ray,IN · June 25, 2015

Changed mine, thanks for the alert Derek!

RV_ · June 26, 2015

YW Ray!

s106300 · June 26, 2015

I have always maintained that keeping all your passwords in one "safe" place is not safe just for the simple reason that hackers have shown they can get into pretty much anything. Personally, I list my passwords under my phone listings but I use a code that only I know how to decipher. For example, my password for Craigslist might be 12@Atwater, but under my phone listing for Craigslist I would put "@A" because I know I use the number 5 or 12 and the word "Atwater". I typically have a couple different configurations I use so it is not too difficult to remember. On a password that would not let me use a special character like "@" I might use a code of "AR2" which would tell be that the pw was "AtwateR2". You can use any combination that you will remember but that will not be obvious or easy for a hacker to determine. And those aren't my real words and symbols, if you are wondering ....?

s106300 · June 26, 2015

BTW, also better to use a nonsense word like "Britwud" "Derwon" etc.

k4rs · June 27, 2015

One thing to stress is that by design, the passwords stored in your Lastpass vault, can only be decrypted on your computer. I believe that the folks at Lastpass are being overly cautions (which is actually a good thing). The only real concern would be if you used a weak master password, or one that was used on another site, then it MAY be possible to brute force the hash.

I like to use a long string of random letters, both upper and lower case, numbers and special characters. An easy way to do this is to remember a sentence and only use the first letter in the password. For example:

I first visited Yellowstone National Park when I was 14 years old.

becomes:

IfvYNPwIw14yo.

An online password testing site calculated it would take CENTURIES to brute force that password.

https://blog.kaspersky.com/password-check/

Safe Travels...

docj · June 27, 2015

The only real concern would be if you used a weak master password, or one that was used on another site, then it MAY be possible to brute force the hash.

I agree and that's why my LastPass master password is both complex, nonsensical and used by me on no other site and the password hint that I've stored would have no meaning to anyone other than me.

wildmandmc · August 12, 2015

Another tip from a professional.

Here is what i do. Open up Notepad, make list of sites, email. banks,ect, underneath, type password, Use a most complicated pw as possible.

such as $tke&@34. , Different for each site. Never use same for 2 sites. After you list is complete, X out, system offers save/don't. save, file name - pw

save to desktop. Then get a usb stick, insert, send the file to stick. check stick to make sure its on it. delete file on desktop. in a month or so. go to each site, change pw, by this method , Insert stick, open up file, under each pw type new = type a new one. go to site type in new one. keeping old one until you get to have a 3rd pw for that site, just incase you have any problem an asked what is a pw that you used previously. erasing old one. x out ask to save changes, click yes.

There are way to many sites being hacked, PW sites, programs are on the top of list of hackers to try to hack,

budeneighe · August 12, 2015

Having permanent memory problems all my life has given me a keen sense of what information I may or may not be able to retrieve when it is important. No matter how complex the schema being built as a maze to access one's passwords and logins, it can be traversed by someone or something.

With well over 1300 separate logins and passwords in addition to a lot of encripted notes about various things, it is impossible to maintain them in any hardcopy form whether it be on actual paper or electronic notepad. I need the info where I am when I need it and not just when I am at the desktop.

I also need for it to be accessible by my family if I am suddenly incapacitated or dead. I use Roboform and have since its inception and have been almost completely pleased by it. I have also used LastPass and tried a few other similar tools and have stayed with Roboform for a lot of reasons well beyond their protection.

Just saying, there are alternatives but most important, if it is something that family may need to know, find a schema that they can use without your brain being involved in the process.