As I write this, the folks at LastPass recently announced that they saw unexplained traffic on their network and could potentially have seen some of their internal data compromised. It’s important to note that no user accounts have been hacked, and no unencrypted user account information has been compromised.
However, to err on the side of caution, they are recommending that we all change our master passwords.
Here’s how you do that.
Become a Patron of Ask Leo! and go ad-free!
Change your LastPass master password
Go to LastPass.com on the web and click on the log-in link.
Log in with your current LastPass password.
After your vault is displayed, click on Account Settings.
It should come up with the “General” tab selected. Click on Change Master Password.
Enter your old password, to confirm that you have the authority to make the change, and then enter your new master password twice.
I recommend using a multi-word passphrase. Passphrase, because it’s longer which is more secure. Multi-word, because that’s easier to remember. The phrase doesn’t need to make sense; in fact, it’s probably better if it doesn’t, as long as it’s easy for you to remember.
Shortly after making the change, you should receive an email that notifies you that a change was made. This is a security measure that would alert you to a password change that you did not initiate.
Depending on your settings, and how many other locations in which you have Lastpass in use, you may need to re-login to Lastpass using your new master password.
Download (right-click, Save-As) (Duration: 2:08 — 2.0MB)
Subscribe: Apple Podcasts | Android | RSS
Shirley
I do not know what LastPass is.
bill
LastPass is software that lets you create, collect, and store the passwords for all the things you need them for. It allows you to have new ones for everything without needing to remember them all.
Leo
Password management software. More here: https://askleo.com/lastpass_securely_keep_track_of_multiple_passwords_on_multiple_devices/
Don Taber
LastPass sent all users an e-mail that said, “We wanted to alert you that, recently, our team discovered and immediately blocked suspicious activity on our network. No encrypted user vault data [were] taken, however other data, including email addresses and password reminders, was compromised. We are confident that the encryption algorithms we use will sufficiently protect our users.”
I worked out my master PW over the first 5 of the 10 years I’ve used LastPass. It is so long and cryptic that “HowSecureIsMyPassword.net” says it would take a PC 526 years to figure it out. I have given the PW to only one person, my daughter, in case of my death. I would prefer not to have to figure out AND commit to memory AND give to my daughter another PW. From what I read in their notice, it doesn’t sound like anyone gained access to the passwords, which suggests I don’t need to change it. What am I missing?
Leo
It’s a safety measure, nothing more. I think that with a sufficiently secure password you’re most likely still safe. I changed mine because I’d been meaning to, specifically to make it longer and more secure. Folks with simple passwords may be the most at risk, but even then I don’t think there’s a real risk that’s been identified.
Bob
In trying to change my LastPass Master Password, I get the following error:
Google Authenticator authentication required! Upgrade your browser extension so you can enter it.
Can’t figure it out
bob
I figured it out. I was using an older LastPass version. I am now using ver 3.1.95. Once I reinstalled LastPass with the new version, all went well.
Mike Regan
So what then IS considered a safe password. Mine is 21 characters including all lowercase letters and 5 numbers. How would you rate this?
Mark Jacobs
That would rate as a very good password. My password is very similar and even a bit shorter.
https://askleo.com/how_do_i_choose_a_good_password/
As the artice states
“In fact, even longer pass phrases – something like perhaps:
‘correct horse battery staple’ [26 lower case letters. But don’t use the alphabet 🙂 ]
are perhaps best of all.”
HA
I can’t tell until I see it.
Don’t worry, I won’t tell it to anyone else.
BTW, what banks do you have accounts at?
Steve
Mike: Microsoft has a password checker page. Check it out.
https://www.microsoft.com/en-gb/security/pc-security/password-checker.aspx
AMIRALI SADAK
Dear Sir ,
Thank you for guiding how to change my password. I always get difficulty for changing my pass word because first of all I understand little the instructions because I am very new to how to operate my computer I am trying to go & join the computer school very eager to learn computer technology but I find very difficult to remember as I am 70 years old. How can I get a booklet which I can read slowly & follow it please advice me.
Thanks God Bless you.
Mike
You say “no user accounts have been hacked, and no unencrypted user account information has been compromised”, but that’s not what LastPass said. They said “No encrypted user vault data was taken, however other data, including email addresses and password reminders, was compromised”. The implication is that they found no evidence of loss of user data, since they do not say their systems properly monitor if something is taken or not. Nor do they say what “compromised” means.
One potential concern is they and possibly you have vested interests in playing things down. I note your account is less alarming than the one from LastPass. Can you say you have no interest in the matter; perhaps you should say that either way?
If the vaults were not ‘compromised’, why are they suggesting a change of master password? What do they mean, “to be on the safe side”.
How could users have an unbiased account of the status of the security of their data?
Regards,
Mike
Leo
Not sure what you’re looking for from me. I have no vested interest in LastPass, and if you choose to move to a different system I certainly won’t object. My comments stem from the fact that I believe that, while this is of course serious – any breach is – there’s actually little impact on users of LastPass. By that I mean that you and I are not at any significantly additional risk than we were before the hack. My frustration is that the general technology press likes to make end-of-world headlines and thus overstate the impact (or at least imply that the impact is far greater than it actually is). As a result, people – people that visit Ask Leo! – panic and make ill-conceieved decisions based on inaccurate information.
The hashes of user’s master passwords were stolen. (https://glossary.askleo.com/hash/) That is NOT NOT NOT the same as actually having the password – which were NOT stolen because LastPass doesn’t store your password – only the hashed value of the password. Having the hash does not allow the hackers to gain access to your LastPass account.
With one exception: if your master password was WEAK – as in, say, one of the top 1,000,000 most common passwords in general, then **in theory** the hackers could mount some kind of a brute force attempt to determine your passwords. This is still extremely unlikely, given the hashing algorithm that LastPass uses. But since the theory exists, it is easily thwarted by changing your master password. This completely invalidates the hash value the hackers have in their hands. So “to be safe” means doing that, and also making sure at the same time you choose a sufficiently lengthy/complex password when you do it.
But, like I said, if you don’t feel convinced, then absolutely switch to another password manager. Find one you trust.
I trust LastPass. Still.
shiva.s
please my prablem solvu me
restart my Google acount
Mark Jacobs
Ask Leo! cannot recover hacked accounts, lost or forgotten passwords. Please see this article for more information on your options:
http://ask-leo.com/would_you_please_recover_my_password_my_account_has_been_hacked_or_ive_forgotten_it.html
Eddie
Breech is not breach.
All the rest is fine.
Regards
E
Mark Jacobs
No exactly. All the rest was not fine, breach needed fixing, but so did conceive 🙂