Secure your LastPass account by doing these two things today

by
Print Friendly, PDF & Email
Play

I’ve written blog posts about LastPass, the online secure password manager. I have been using it for quite some time, and I have set it up for several of my clients. You may have heard recently that LastPass may have been compromised. I wanted to clear up what (may have) happened, and what you need to do if you use LastPass (and yes, I continue to highly recommend that you use it).

LastPass

 

I’m not going to go into all the details of how LastPass works and why I recommend it – that is all covered in great detail in my blog post where I wrote about it (here). My purpose here today is for you to understand that it’s still fine to use, and what you need to do if you already have a LastPass account.

LastPass dominated the “tech news” headlines recently. The details can get pretty technical. The underlying important facts here are these:

1. LastPass is a high-value target. Think about it – they store all of the important passwords for probably hundreds of thousands of people all around the world. If someone with malicious intent got access to all of that information, it would be hard to place a value on what it would be worth on the black market. So it’s very important that LastPass gets their security right.

2. LastPass does it right. LastPass does everything possible to make sure that data remains confidential. In fact, even LastPass themselves cannot access it because it’s all encrypted. In fact, they take precaution to a whole new level. That’s why, if there is any entity on the internet that you can trust, it’s LastPass (in my opinion, based on what I know and have heard about them). Not only because of their integrity and business philosophy, but also because of the security measures and procedures they have in place.

You may have heard or read news stories that include phrases such as “LastPass got hacked” or “LastPass has had a data breach” or something similar. For the most part, that is media sensationalism.

What actually happened, based on a report that was in the LastPass blog announcing the incident, was this: “…our team discovered and blocked suspicious activity on our network.

Furthermore (again, directly from LastPass): “…we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed.”

The two things that might pertain to LastPass users that could be of concern, which may have been compromised:

  1. The user’s email address
  2. The password hint

If a hacker has your email address, that does not give him access to your LastPass account. He also needs your password. Would your password hint give too much information about what your password is? Personally, I don’t like using password hints at all because it gives the bad guy something to work with. But frankly – for a good, strong password there is no hint anyway. I mean, if your password is “mPi4h7c$jrb&%” how do you come up with a hint for that? There is no hint that would work. But if your password is Florida, and your password hint is “the sunshine state” you might be in trouble.

This just emphasizes the importance of using a password that is both unique (not used for any other account) and strong (random numbers, characters and upper and lower case letters).

What action should you take?

To make sure you’re LastPass account is completely safe, I recommend doing at least 2 things (and I’ll suggest a third action if you like to be REALLY cautious):

First, change your master password. Make it a good one, as I mentioned above. But then that brings up the question, how do you remember it? You could write it on a little piece of paper and stick it in a drawer or in your wallet. Of course, don’t label it “LastPass master password”. Just write it down somewhere so that you know where to get it but if someone else finds it they won’t know what it is.

In fact, even if you write it down and store it somewhere, you could include some fake characters at the beginning or end of the password, and only you would know that they don’t belong there. For example, if your actual password is yT5k9&3nMdCC you could add a random 4-digit number to the end so that what is written down is yT5k9&3nMdCC8346. Then you might at some point in the future try to use that full password and when it doesn’t work, it will remind you that you added the 4 numbers at the end to make it safer.

To change your password, go to lastpass.com and log in. On the left side, click on Account Settings. In the new window, click on “Change Master Password”. Enter your old password, then your new password twice and click “Save Master Password”:

lastpass

 

Second, enable country-restricted login. Let’s be honest here. I have nothing against the nice folks of Russia and China, but if someone is going to try to hack into your LastPass account, there’s a good chance the hacker is based in one of those two countries. You can set up your account so that LastPass only allows login from the country where you live. For me, that’s the United States. That will immediately eliminate any attempted logins from any other country, even if the foreign hackers were to figure out your password (which they won’t because it’s a good one, right?).

To restrict logins by country, go to lastpass.com and log in. On the left side, click on Account Settings. In the new window, click on “Show advanced settings”. Check the box “Only allow login from selected countries” and click Update (I also selected Ecuador since we travel there sometimes):

lastpass

 

The third thing you can do – if you really feel like you need to go above and beyond in terms of security – is to enable two-factor authentication. I won’t go into all the details on that because it could be a whole blog post in itself. But basically, this means that if the hacker were in your same country, AND he came up with your email address and password, he still couldn’t log into your account unless he had your smartphone. Just another layer of protection if you have data in your LastPass account that is critical.

Bottom line is: LastPass is safe, and continues to be the best password manager (in my opinion). It’s also free, unless you want to use it on your smartphone too (and even then it’s only $12 annually). If you have trouble coming up with those long random passwords, it will come up with them for you. There really is no excuse for using weak passwords any more.

listen to my podcast in iTunes

Share this post

3 comments Add your comment »

Get updates when new comments are added. Subscribe to the comments RSS Feed

Marianne Boretz
June 22nd, 2015

My problem is that what I thought was my master password no longer works and the hint is not at all helpful.

So I can’t change my password! My laptop logs me in automatically. But I can’t access LastPass on my other computers.

I’ve been told that I need to go to the LastPass website and set up an entirely new account.

Just checking — is there any way I can access the password? I think not, though if my laptop is logging me in automatically, then the password is stored somewhere, no? If so, where?

Thanks for any advice you may be able to give.

Scott Johnson
June 22nd, 2015

Hi Marianne – Here is the page on the LastPass site that addresses this issue:
https://lastpass.com/support.php?cmd=showfaq&id=375

If you have a long list of accounts/passwords in your LastPass account, and since you can still log in to your account, you might consider printing the list of accounts and passwords just to make it easier in case you need to refer to that if you do end up creating a new Lastpass account.

marge201
June 22nd, 2015

Had to get an email hint, which I didn’t need, and then tried again and it took the password that I changed it to. I did the country thing, too, only USA. If I go anywhere, I’ll remember to change that. Thanks so much, Scott, for your invaluable advice.