As I write this, the folks at LastPass recently announced that they saw unexplained traffic on their network and could potentially have seen some of their internal data compromised. Itâs important to note that no user accounts have been hacked, and no unencrypted user account information has been compromised.
However, to err on the side of caution, they are recommending that we all change our master passwords.
Hereâs how you do that.
Become a Patron of Ask Leo! and go ad-free!
Change your LastPass master password
Go to LastPass.com on the web and click on the log-in link.
Log in with your current LastPass password.
After  your vault is displayed, click on Account Settings.
It should come up with the âGeneralâ Â tab selected. Â Click on Change Master Password.
Enter your old password, to confirm that you have the authority to make the change, and then enter your new master password twice.
I recommend using a multi-word passphrase. Passphrase, because itâs longer which is more secure. Multi-word, because thatâs easier to remember. The phrase doesnât need to make sense; in fact, itâs probably better if it doesnât, as long as itâs easy for you to remember.
Shortly after making the change, you should receive an email that notifies you that a change was made. This is a security measure that would alert you to a password change that you did not initiate.
Depending on your settings, and how many other locations in which you have Lastpass in use, you may need to re-login to Lastpass using your new master password.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
I do not know what LastPass is.
LastPass is software that lets you create, collect, and store the passwords for all the things you need them for. It allows you to have new ones for everything without needing to remember them all.
Password management software. More here: https://askleo.com/lastpass_securely_keep_track_of_multiple_passwords_on_multiple_devices/
LastPass sent all users an e-mail that said, âWe wanted to alert you that, recently, our team discovered and immediately blocked suspicious activity on our network. No encrypted user vault data [were] taken, however other data, including email addresses and password reminders, was compromised. We are confident that the encryption algorithms we use will sufficiently protect our users.â
I worked out my master PW over the first 5 of the 10 years Iâve used LastPass. It is so long and cryptic that âHowSecureIsMyPassword.netâ says it would take a PC 526 years to figure it out. I have given the PW to only one person, my daughter, in case of my death. I would prefer not to have to figure out AND commit to memory AND give to my daughter another PW. From what I read in their notice, it doesnât sound like anyone gained access to the passwords, which suggests I donât need to change it. What am I missing?
Itâs a safety measure, nothing more. I think that with a sufficiently secure password youâre most likely still safe. I changed mine because Iâd been meaning to, specifically to make it longer and more secure. Folks with simple passwords may be the most at risk, but even then I donât think thereâs a real risk thatâs been identified.
In trying to change my LastPass Master Password, I get the following error:
Google Authenticator authentication required! Upgrade your browser extension so you can enter it.
Canât figure it out
I figured it out. I was using an older LastPass version. I am now using ver 3.1.95. Once I reinstalled LastPass with the new version, all went well.
So what then IS considered a safe password. Mine is 21 characters including all lowercase letters and 5 numbers. How would you rate this?
That would rate as a very good password. My password is very similar and even a bit shorter.
https://askleo.com/how_do_i_choose_a_good_password/
As the artice states
âIn fact, even longer pass phrases â something like perhaps:
âcorrect horse battery stapleâ [26 lower case letters. But donât use the alphabet :) ]
are perhaps best of all.â
I canât tell until I see it.
Donât worry, I wonât tell it to anyone else.
BTW, what banks do you have accounts at?
Mike: Microsoft has a password checker page. Check it out.
https://www.microsoft.com/en-gb/security/pc-security/password-checker.aspx
Dear Sir ,
Thank you for guiding how to change my password. I always get difficulty for changing my pass word because first of all I understand little the instructions because I am very new to how to operate my computer I am trying to go & join the computer school very eager to learn computer technology but I find very difficult to remember as I am 70 years old. How can I get a booklet which I can read slowly & follow it please advice me.
Thanks God Bless you.
You say âno user accounts have been hacked, and no unencrypted user account information has been compromisedâ, but thatâs not what LastPass said. They said âNo encrypted user vault data was taken, however other data, including email addresses and password reminders, was compromisedâ. The implication is that they found no evidence of loss of user data, since they do not say their systems properly monitor if something is taken or not. Nor do they say what âcompromisedâ means.
One potential concern is they and possibly you have vested interests in playing things down. I note your account is less alarming than the one from LastPass. Can you say you have no interest in the matter; perhaps you should say that either way?
If the vaults were not âcompromisedâ, why are they suggesting a change of master password? What do they mean, âto be on the safe sideâ.
How could users have an unbiased account of the status of the security of their data?
Regards,
Mike
Not sure what youâre looking for from me. I have no vested interest in LastPass, and if you choose to move to a different system I certainly wonât object. My comments stem from the fact that I believe that, while this is of course serious â any breach is â thereâs actually little impact on users of LastPass. By that I mean that you and I are not at any significantly additional risk than we were before the hack. My frustration is that the general technology press likes to make end-of-world headlines and thus overstate the impact (or at least imply that the impact is far greater than it actually is). As a result, people â people that visit Ask Leo! â panic and make ill-conceieved decisions based on inaccurate information.
The hashes of userâs master passwords were stolen. (https://glossary.askleo.com/hash/) That is NOT NOT NOT the same as actually having the password â which were NOT stolen because LastPass doesnât store your password â only the hashed value of the password. Having the hash does not allow the hackers to gain access to your LastPass account.
With one exception: if your master password was WEAK â as in, say, one of the top 1,000,000 most common passwords in general, then **in theory** the hackers could mount some kind of a brute force attempt to determine your passwords. This is still extremely unlikely, given the hashing algorithm that LastPass uses. But since the theory exists, it is easily thwarted by changing your master password. This completely invalidates the hash value the hackers have in their hands. So âto be safeâ means doing that, and also making sure at the same time you choose a sufficiently lengthy/complex password when you do it.
But, like I said, if you donât feel convinced, then absolutely switch to another password manager. Find one you trust.
I trust LastPass. Still.
please my prablem solvu me
restart my Google acount
Ask Leo! cannot recover hacked accounts, lost or forgotten passwords. Please see this article for more information on your options:
http://ask-leo.com/would_you_please_recover_my_password_my_account_has_been_hacked_or_ive_forgotten_it.html
Breech is not breach.
All the rest is fine.
Regards
E
No exactly. All the rest was not fine, breach needed fixing, but so did conceive :)