Tuesday, May 10, 2011

Change your Passwords, Boomers

I recently extolled the virtues of password managers to help us remember all of our many and varied passwords. As I said in that post, I really can't remember every password I've created. Some people even use the same password for everything, taking a risk with their security.

This morning I received a message in my inbox that LastPass, the company I used as an example of an excellent password manager, may have had its master passwords breached. Here is the text of the message. If you took my advice and actually downloaded and used LastPass, then you probably got a message like this too:
Dear LastPass User,

On May 3rd, we discovered suspicious network activity on the LastPass internal network. After investigating, we determined that it was possible that a limited amount of data was accessed. All LastPass accounts were quickly locked down, preventing access from unknown locations. We then announced our findings and course of action on our blog and spoke with the media.

As you know, LastPass does not have access to your master password or your confidential data. To further secure your account, LastPass now requires you to verify your identity when logging in. You will be prompted to validate your email if you try to log in from a new location. This prompt will continue to appear until you change your master password or indicate that you are comfortable with the strength of your master password.

Please visit https://lastpass.com/status for more information.

The LastPass Team
My suggestion to everyone who read my blog and downloaded LastPass: change your master password. It's easy to do. At the top of your web page you'll find the star symbol that represents LastPass.

This is how the LastPass symbol looks on Google:

Click it and this popup will appear:
Log in to the site with your current Master Password. Unfortunately I can't show you this part because it would breach my own security! Once you've logged in, go to Account Settings. A blue window will popup with  your current password information. Click on Change Master Password and follow through with the steps given there. You'll be asked to create the password, and repeat it, and provide some memory hints so you can remember it. That's really all there is to it.

This company and the others out there like it provide a valuable service, but even companies that spend lots of money and time creating ways to circumvent hackers can sometimes be vulnerable. LastPass got the word out to the press and to the public fairly fast, as soon as the company confirmed that there were problems.

Am I sorry that I told you about password managers? No, I'm not. I will continue to use them because they save me time and effort at individual sites. The bottom line: you do have to be careful to take reasonable action if you hear that a password manager has been hacked.

No comments: