LastPass Hit By Potential Security Breach (and Some Quick Tips On Creating a Strong, Memorable Password)

LastPass Hit By Potential Security Breach (and Some Quick Tips On Creating a Strong, Memorable Password) | 40Tech

With all of the crazy outages and hacking going on in the digital world over the past week or two, the fact that LastPass has an issue (as of May 3rd), probably shouldn’t come as a surprise. Still, it is a bit of a shock to the system to be reminded that the “last password you’ll have to remember” is potentially as vulnerable as any other. Before panic sets in among LastPass users (of which I am one), know that the company is on it, and that those with strong, non-dictionary based passwords should be fine in any case. LastPass also admits that they may even be overreacting, but prefer to err on the side of caution when it comes to keeping your data safe — a policy that I am 100% behind.

Without getting into the technical aspects behind it all, what basically happened is that LastPass discovered at least two network traffic anomalies in their systems that they couldn’t explain. One occurred in a “non-critical machine” and the other came from one of their databases. The second matched with the first and involved information exiting the LastPass environment. The company reported in their blog post that the outgoing amount of data was large enough to have contained email addresses, password hashes, and “server salt,” but not enough to have “pulled many users’ encrypted data blobs.”

While LastPass doesn’t feel that the issue is a large one, they recognize the potential for brute force hacking on the passwords of any users that may have been compromised. This is most likely to affect those who have a master password that is lacking in strength and/or dictionary-based, which is still incredibly common, even today. To protect the integrity of their systems, and their users’ data, LastPass is requiring all users to change their master password. They are also looking for email validation from you if you happen to be logging in from an IP address that is outside your usual set. This is an added security measure, just in case your password does get compromised before it is changed.

Don’t rush off and change your password right away, however. The sheer volume of password change requests is slowing down LastPass as a whole, which is causing server connectivity problems across the board. The company has beefed up the email verification protection as a result, and are confident that there should be little risk in waiting a day or two before changing your master password. You will have to do it eventually, however.


Creating a Strong – But Easy to Remember – Password

When you do change your password, strength should be your primary focus — but there is no reason you have to put together something that is impossible for you to remember. That may seem a bold statement, considering that strong passwords need to have combinations of numbers, symbols, and both uppercase and lowercase letters — and should avoid dictionary words — but a great post by Gina Trapani (Lifehacker) back in 2006 essentially solves that problem.

Gina advises that you use a single rule set as the basis for all of your passwords. You start with a base password that you create from something like a favourite acronym, letter/number combination, or nonsense word that you will never forget. Pad that with some symbols for extra safety, if you want, and store it somewhere offline, just in case you forget it. Once the base of the password is set, the rest comes as a result of the service you are signing up for.

For example, you could set your base password using your initials (including middle) or even your favourite pet’s initials, combined with your favourite number. In this case, you are the proud owner of Fluffy Cattington, and have a love for the number 86. Your base password could be something like FC86, or FfyCt86, etc. Add a few things to that for extra strength and you could have this: &*FfyCt86!, or #(FC86)^^. Already, we are well on our way to a secure password.

The next step is to add a standard code for the service you are using. Initials or the first few letters of the service name are good here as well. If this were to be your LastPass master password, for example, you could have something like this: &*FfyCt86!LP, or #(FC86)^^Las. Just try to make sure your password is at least eight characters long and that you are using numbers and letters. Using symbols and uppercase/lowercase letters is even better, but not all services will allow this in their passwords, so you may have to adjust for that. LastPass does, so no worries there.

Check out the Lifehacker post for even more ideas on how to choose your base password.

If you are interested in alternatives to LastPass, check out Evan’s post on eWallet vs Keypass vs LastPass. I like LastPass, though, and am pleased by the lengths they go through to protect their service and users. Evan also makes a great case for LastPass here.

What are your thoughts on choosing and remembering strong passwords?

Bobby Travis

Bobby isn't 40-something, but is a strong supporter of the Grown-up Geek kind. He's a loving husband and father first, but is also a freelance writer, productivity nut, operatically trained singer, and (not-so) closet geek. Check out his random thoughts, wackiness, and Instagram pics on Tumblr, Twitter, or Google+-- or just head over to


  1. Storm in a tea cup and knee jerk reactions to a non event comes to my mind. There is no concrete evidence of any hack or breach although fair play to LastPass for being paranoid but all it really does is allow lots of sites to put up pages for hits ;)

    Im filing this story under category “Meh”.

    • I tend to agree, but for a different reason. At least for me, my master password was 10+ characters, with letters (cap and lowercase), numbers, and symbols, so even if that outgoing traffic on the LastPass servers was something that could be hacked, I feel pretty safe.

      That said, I have gone and changed my passwords for Evernote and my main email accounts. For now, I’m storing them on paper and in Keeper on my Android phone, and then I’ll go enter them into LastPass after the server is accessible and I can change my master password. Probably unnecessary, but better safe than sorry.

    • Thanks for the comment, David. The post actually addresses the fact that even LastPass thinks they may be overreacting. That doesn’t make the story any less valid, however — which I am sure you would agree if the outgoing data does contain email and password information, and especially if you found out it was yours.

      Of course, you may have a strong, non-dictionary based password, but it is probably fair to say that most people still don’t. One of the main reasons for that is the inconvenience and how difficult they can be to remember — which was the reasoning behind the second part of the post. If you are going to have to change your master password anyway (and you are), it may as well be done right, yes?

      As Evan says, “better safe than sorry.” It’s not about hits, man. It’s about spreading information.

      • No no bobby, I’m not belittling the article – apologies if it comes across like that. I think we as end users tend to over-react to words like hack, breach, fraud and of course for good reason but these are very emotive words and in reality any savvy user of LastPass would have one strong master password any ways, other wise they don’t understand how the program works – hence my comment.

        But I see what your saying [thumbs up icon here!]

      • No worries, David! I wasn’t offended in any way. I just wanted to make sure the point was clear in case other readers misread your comment. The last thing I want is to have people jumping to conclusions and battling it out on a topic that is meant to help people out!

        You are absolutely right that people do tend to freak out to those scary little buzz words, especially when the media gets a hold of them — and with good reason, as you say. The fact of the matter is, though, that most people on the internet are more “regular” users, as opposed to savvy. This would include LastPass users.

        For example, my mother uses LastPass. She came on it from a recommendation from me. Now, my mother is probably closer to the savvy end of the scale, when it comes right down to it, and she is very mindful of her security, but I would be willing to bet that this article comes as news to her — and that her master password is not nearly as strong as it should be.

        Hell, up until I discovered that Lifehacker article a few months ago, my own master password — while relatively strong — was nothing that couldn’t be chipped away at. And that was pure laziness on my part. I doubt I’m alone there.

  2. I use keypass, I am not sure about using anything that keeps my passwords outside of my control. I try to have different levels of passwords (banking will have different than probably signing in to your website (if that was a requirement).

    The main problem is even among banks, each website has different rules. So one may say, “?” not allowed, the other says “!” not allowed. The length also varies. This creates a big problem. I wish there was “one standard” for password requirements.

    • I hear you, Sean. I am not entirely sure why many bank websites actually disallow certain characters and even capitalization. Why they would deny potential extra security is beyond me.

      Also, while I love the convenience of LastPass — which is why I stick with it over Keypass — I don’t keep my bank passwords in it. Emails, websites, even personal accounts like Facebook are one thing; I don’t trust a password manager with my money.

  3. Its absolute mayhem as every now and then your password is breached either by your trusted ones or the bots. The key to a strong password that cannot be guessed lies deep inside you, something that you have never shared with anyone.

  4. Pingback: Cloud, effetto lemmings e il miliardo di mosche «

  5. Pingback: LastPass vs. 1Password: Password Manager Shootout [Windows/Mac] | 40Tech

Leave a Reply