LastPass Password Manager Hacked

by | Jun/16/2015

LastPass password manager announced that they were hacked. That means that attackers might be able to find out all of your passwords. Do this immediately: Change your LastPass password.  If you use any password manager, LastPass or otherwise, two of the most important steps to take include:

First, never put your most sensitive passwords into any password manager. That means passwords to your banks, online trading accounts, and any other websites that aren’t worth exposing to any increased risk. More information here: Passwords are Difficult to Remember

Second, always enable the two-step login process on your password manager. An example of this solution: You enter a username and password into a website, and then your mobile phone buzzes and tells you to enter the code such as 777888 to complete the login process. That way, even if an attacker learns your password, they will need to have the device you are using for two-step login. In this example, an attacker would likely need to steal your mobile phone too before they could log on, even if they know your username and password. Unless someone in close proximity to you is a member of the group that hacked LastPass, then they might need to travel a long way in order to steal your phone from you.

With the LastPass breach, as of this moment, LastPass thinks that the hackers stole passwords, but that the passwords are all encrypted. They think that, as long as an attacker doesn’t know your password to LastPass, then the attacker won’t be able to use your passwords at any of your protected sites. In addition, if you use two-step login on LastPass, you are quite possibly protected even if the attacker does learn your LastPass password.

If you receive an email that appears to be from LastPass instructing you to “Click Here to Reset Your Password”. Do not click; it might be a trick.

Password managers are very helpful. They speed up workflow and prevent problems such as a user using the same password at more than one website. When using a password manager, just be sure to follow the two steps above. Be selective when choosing what passwords to store, and enable two-step login. Find more information about how to handle passwords here: What to Do About Your Passwords

Forward this to everyone you know who uses a password manager. Additionally, forward it to everyone you know who is not using a password manager – they probably should be using one; just be sure they follow the guidelines above.  Thank you for helping keep the world a safer place to live and work!

Password Managers and Two Step Logins

After the LastPass announcement, many readers have reached out with questions about password managers and about two step login. Important points:
First: Just because LastPass discovered, and announced their breach, does not mean that other password managers aren’t breached as well.

Second: You enabling and configuring two step logon to LastPass, or any other password manager, is intended to make authenticating to that password manager more secure. That strategy is designed to make it more difficult for an attacker to be able to use your password manager to discover or use your passwords to websites.

Remember, a password manager’s function is to store your passwords for you so that you do not need to type those passwords into websites.

Password Managers are designed to be a tool that provides more of a convenience than security. A password manager also makes it easier for you to use secure password habits. For example, you can use different passwords for each of your websites rather than using the same password on multiple sites, without you needing to remember all of your passwords.

Keep in mind that an attacker could potentially learn your passwords in other ways too.

Therefore, you still need to enable 2-step logon on sites too. Websites such as PayPal, DropBox, GoogleApps, and the many others support two step logon. Now, no matter how an attacker learns your password, the two step login on specific sites is designed to help protect you from bad guys attempting to authenticate to those sites using your password.

Third: Configuring a password manager, or a website, for two-step logon will hopefully be an easy process. However, if you run into difficulty, don’t give up. Enlist the assistance of someone e-savvy who has experience setting up the two-step logon. Alternatively, you might choose to contact technical support.

Most likely, everything will go smoothly when you follow the instructions. If you decide to search Google for answers to any questions that you have about configuring two step logon on websites and for your password manager, be sure to use Google’s search tools to restrict the search to recent postings. Finding new instructions obviously works better than following instructions, without your being aware that they are old, outdated instructions that do not work.

Please post your comments below…