7 Lessons Learned from the LastPass Hack

When a password manager that generates complex passwords to help keep your accounts secure gets hacked, it's just another startling reminder that no one is immune to today's data breaches.

In light of the recent breach at password manager LastPass, in which user emails and encrypted master passwords were compromised, we rounded up some important lessons to keep in mind following the incident.

1. Always Change Your Password Following a Breach

Following the LastPass breach, CEO Joe Siegrist wrote in a blog post that while the company believed user accounts were not accessed, it was recommended that all users change the master password they use to access their account.

This should be carried out anytime a user is involved with a site or company that has been hit with a data breach. In fact, passwords should also be changed frequently—even without any known breaches—as a preventative measure.

Get LifeLock protection now.

2. Encryption Is Your Friend

Although the breach hit LastPass, the company expects that the compromised encrypted master passwords will be very difficult to crack.

Siegrist explained in his blog: "We are confident that our encryption measures are sufficient enough to protect the vast majority of users."

LastPass spokesperson Erin Style went into more detail in an email to Forbes, explaining that since LastPass employs per user salts, an attacker would need to attempt to crack each encrypted master password individually.

"Further, because a user's password is hashed thousands of times before being sent to LastPass, and is again hashed 100,000 times before being stored, guesses can't be done at a significant speed," Style said in an emailed statement to Forbes.

3. Always Use Complex and Unique Passwords for Each Account

Due to the minimal damage of the breach, the incident serves as a reminder that complex passwords are important and necessary.

Users can create strong passwords by being unconventional (try making up a word that can't be found in the dictionary) and remaining impersonal (avoid using birthdays, first and last names and hometowns). It's also helpful to use a different password for each account and change them frequently.

For more information, check out LifeLock's tips for choosing a secure password here.

4. Choose MultiFactor Authentication When Available

As a safety measure, LastPass now requires that anyone who logs in to their LastPass account from a new device or IP address will have to authenticate their account via email. This highlights the importance of two-factor authentication, both before and after a security breach, and could prove to be a good feature for users to take into account when choosing which sites they rely on.

In fact, it's always helpful to take advantage of all security features that are offered. For example, if a site offers two-factor authentication as an "option," always choose the extra security.

5. Vary Your Security Questions and Answers

During the LastPass hack, users' reminder words and phrases that the services asks users to create for their master passwords were compromised. This emphasizes the importance of using different phrases, key words and security questions for all of your accounts, much like you would use a unique password for each one. Once a criminal knows one security question and answer, for example, it's that much easier to make attempts to other accounts set up by the same user.

6. Even the Sites You Perceive to Be Most Secure Can Be Flawed

The LastPass hack reminds us that data breaches can strike anywhere and at any time. According to computer scientist Zhiwei Li, and as reported in Slate, "the security quality of password managers is reasonably good... [but] security design/implementation is hard to make right."

7. Look Out for Phishing Emails

Following the breach, LastPass encouraged all users to "be wary of phishing emails asking you to disclose your master password, payment information, or any other personal information. Never, ever disclose your master password or any confidential information, even to someone claiming to work for LastPass," suggested a LastPass blog post.

4 Million Members and Counting


"I almost lost my job because someone used my driver’s license and received 8 violations."
- Casey S.


"All of my personal information, even my social security card, was taken."- Jamie A.

It only takes minutes to sign up.

Start Your Membership