Earlier this week news broke that LastPass had been hacked. They released a blog post: LastPass Security Notice.
I still believe that LastPass is a great service.
I don’t hold it against them for not getting an email right away. I found out about the issue from social media– basically word-of-mouth. Which to be honest, I’m fine with. I’m just glad that when there is a problem that Internet people bring it up and share it right away. The only minus is that there can be some misinformation and panic that goes with it.
I like how LastPass is very upfront with any issues they have. This is the way security should be.
You should only be worried about your account if the LastPass master password is also the same password you use on another site– which you shouldn’t be doing in the first place.
The Idea Behind a Password Manager
All your passwords for every login should be different and generated by LastPass or whatever password manager you choose. There should only be a few passwords, maybe two or three, that you know by heart:
- Your LastPass master password.
- Your email account that you used to sign up for LastPass.
- Any other important email login– say your backup email/account.
I know too many people that use the same password on all their accounts. This is a serious security problem. Every few months we hear about a big security breach where logins/passwords have been compromised. If one of the password accounts is compromised, all of them are.
The idea behind a password manager is so that you only really manage a few strong passwords that you can remember. Everything else, for all your other accounts, you have LastPass generate a random, long password for.
Your master password is used to login and make readable the encrypted storage of all your generated passwords/accounts. This is stored on LastPass servers, the cloud, so you can access it from multiple devices (your PC/Mac, tablets, and/or mobile phones).
Having a strong password for your main email address or the one that’s linked to LastPass is important, because, if you forget any password, including LastPass’s, it all defaults back to this email address. So it’s important to have this one secured as well and not be stored on LastPass.
Also see: How LastPass Works
Improve LastPass Security
The default settings in LastPass is good, but there are options to make it even better. You need to go to the following setting and increase the password iteration from the default: 5000, to something higher, say between 20,000 and 200,000.
Account Settings -> Show Advanced Settings -> Password Iterations
This makes it so that even if your account/file was compromised, the amount of work needed to break the master password is really really difficult.
The screenshots below are from the Chrome extension of LastPass.
Show Advanced Settings
The Advanced Settings is easy to miss, it’s on the bottom as seen in the screnshot.
Increase Password Iterations
Scroll down to Password Iterations.
The default password iteration is: 5000. You should increase it to something larger that’s 5 digits in length or more. Sure it re-ecrypts your storage again and it can be a bit slow (like ~20 seconds), but this is something you aren’t doing again and again. Just do it once at the beginning, and you’re set.
There is also a setting where you can specify which country LastPass can work from. If you live in the US, then set it so the US is the only place that LastPass can be logged in from.
I also recommend adding Multifactor Authentication to make your LastPass account even more secure.
Other Password Managers
The important thing is that you use one. Any one. Here are the most well known ones.
Do not use your browser’s password storage. In fact you should change your browser’s settings so that it doesn’t remember any login information at all. Everything should go through your password manager.
I like the subscription model behind LastPass. I prefer that over OnePassword’s buy-to-own model. I’d rather pay bit by bit, than pay $48+ outright for something that may not be supported. It costs $1 per month to subscribe to LastPass Premium if you want the mobile options. Otherwise, the desktop browser version is free.
KeePass is nice, but the encrypted database is stored locally. I like the convenience of storing my LastPass on their cloud servers. Again, convenience. The argument for KeePass is weak if users choose to store their KeePass key file on another cloud service such as Dropbox.
Again, I encourage everyone, friends, family, collegues, to all use a password manager.
- Security Now 512 Mozilla Tracking Protection - Steve Gibson breaks down the LastPass hack news.
- Sign up for LastPass