LastPass: So Your Password Manager Got Hacked, Now What?


Earlier this week, the password manager LastPass disclosed that it had been hacked. Yep, somehow hackers were able to get at the email addresses and encrypted master passwords, as well as the reminder words and phrases that users stored with LastPass to help them remember their master passwords.

Here's how LastPass works: It generates and remembers passwords for all the sites a user visits so all they have to do is remember is one master password... and this is where the problem lies. Even though a high level of encryption protected these master passwords, LastPass is reporting that hackers can potentially guess this password with the reminder information they stole, especially if the master password is weak. LastPass CEO Joe Siegrist wrote this in a blog post Monday,

If you've used a weak, dictionary-based master password (eg: robert1, mustang, 123456799, password1!), or if you used your master password as the password for other websites, you need to update it.

Just a couple months ago I taught a lesson called, "How To Make (and Remember) GREAT Passwords," to a 7th-grade class as part of our Cyber Civics program. During this lesson, one young man asked me, "Why do we need to learn this when there are password managers that can do this for us?"

"Good question," I thought as I struggled to come up with an answer.

Today that answer is clear. As Joseph Bonneau, a Stanford cryptography researcher told Wired Magazine, "It's really important when you use a master password that password be really strong." He added, "At the end of the day, that's the only safe way to use this kind of password vault."

Looks like the seven rules I share with kids should probably be heeded by all of us, so here it goes... a GREAT password should:

  • Be at least 8 characters long
  • Include upper and lowercase letters, symbols, and numbers
  • Never include personal information
  • Never include the name of family members, friends, or pets
  • Never include sequences, such as abcde or 12345
  • Never include a dictionary word
  • Be changed regularly (every six months)

But what about the "memorable" part?

This is where many of us struggle because, holy cow, who can remember even a master password? So what I tell the kids is to use "mnemonic," or memory device for this task. It works best if it's something you like. For example, one girl chose her favorite artist, Taylor Swift, as her mnemonic. With Swift in mind, she came up with this password:


This password uses the first letter of each word of Swift's hit song, "Shake It Off" (employing both upper and lowercase letters), includes an exclamation point (because it's a great song), and ends with the album title (1989). So by thinking about Swift, this student came up with a GREAT password that successfully incorporates all seven rules, plus it should be easy for her to remember. Additionally, she will be encouraged to change it in six months when she has a new favorite artist, and well before any hacker can figure out what her GREAT password is.

Today the only password manager we keep can safely rely on lies between our ears, in an unhackable vault that's free to use. We might as well learn how to put it to work.