So, the unthinkable has happened for millions of LastPass customers worldwide: LastPass’s servers have been hacked, and user data stolen. The good news -- if it could be said to be good -- is that your passwords are almost certainly safe… For now.
Doing nothing shouldn’t be seen as an option, so what can you do to ensure your LastPass account remains as tightly sealed as can be?
First, a quick recap: LastPass reported that email addresses, password reminders, server per user salts and authentication hashes were compromised in the attack. Of these, it’s the first two that are obviously of most concern. Expect those email addresses to be targeted at some point -- be particularly wary of any phishing attacks that use facsimile’s of LastPass emails to appear in your inbox attempting to trick you into giving up your master password.
You might want to change the email address associated with your LastPass account, seeing as this was stolen. Going forward, consider choosing a disposable, or dedicated email address that ensures your privacy is protected even if the unthinkable happens again.
The fact your password reminder is now in the open is a good reason for changing your Master Password, regardless of how cryptic it is. To do this, log into your LastPass account and --– from your LastPass Vault -- click Settings. Click Change Master Password and follow the prompts to create a new Master Password.
When it comes to choosing your new password, remember the longer and more complicated the better – that way, it’s harder for hackers to force their way into your account. And make sure your Password Reminder is a cryptic one, triggering your memory but no one else’s.
Multifactor authentication
Another way to protect yourself going forward is to enable multifactor authentication -- for LastPass and any other cloud services you use. LastPass has switched on a basic form in light of the hack, with you needing to verify your email prior to signing on a new device or browser, but think of it as a sticking plaster rather than something you should rely on long term.
Now is the time to return to your Account Settings. Switch to the Multifactor Options tab where you’ll find a plethora of multifactor services you can use. Click the pencil icon next to an option to see what’s involved -- most involve downloading an app for your phone that you’ll use to generate verification codes when prompted. There’s even a Grid option that requires you to print a spreadsheet of randomly generated characters you use when challenged (sadly it doesn’t work with non-Android mobiles, so is of limited use to many).
I went with the Google Authenticator option, which had the added bonus of also making sure I switched on two-way authentication for my Google account. After installing the Google Authenticator app, you generate a barcode or key from your Account Settings page to pair the two, at which point the app is ready to go.
Now each time you -- or someone else -- tries to log into LastPass on a previously unrecognized device, you’ll need to type in a six-digit code provided by the app. Look out for the switch that allows you to permanently trust the device you’re logging into -- this prevents you being challenged the next time you log in. You can manage these devices via the Trusted Devices section – rename them to make them more identifiable, or revoke their trusted access should they be sold on or -- lawks -- stolen.
Tighten security further
What else can you do to protect your account going forward? Take the LastPass security challenge to eliminate weak and duplicate passwords, then make use of LastPass’s built-in random password generator to make your passwords impossible to guess. Also consider changing your Master Password at regular intervals.
Also click the Show Advanced Settings button under the Account Settings General tab. Here you’ll find a Security section where you can set a separate security email address, restrict login to selected countries and enable auto logoff when switching devices.
All of these steps will help tighten your LastPass account still further, so if you plan to keep using the service, you know your passwords are as protected as they possibly can be. As for me, it’s seven days until my LastPass Premium sub expires, so now I have to decide whether or not I can continue to trust -- with misgivings -- LastPass with my passwords.