TORONTO – LastPass, a password management service that aims to help users keep their passwords secure, revealed Monday hackers obtained some user data after breaking into its systems.
The company, which stores multiple passwords in encrypted form, warned that it had detected “suspicious activity” on its own network.
According to a security notice posted to the LastPass website, no encrypted user data was taken and no user accounts were accessed. However, the company said some user email addresses, password reminders and authentication hashes were compromised.
“We are confident that our encryption measures are sufficient to protect the vast majority of users,” read the security notice.
“Nonetheless, we are taking additional measures to ensure that your data remains secure. We are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled.”
LastPass users will be prompted to update their master password, which allows them to access their list of encrypted passwords for their online accounts.
Additionally, if you have used your LastPass master password as a password on any other site, you should change it as soon as possible.
“Because encrypted user data was not taken, you do not need to change your passwords on sites stored in your LastPass vault. As always, we also recommend enabling multifactor authentication for added protection for your LastPass account,” read the notice.
Multifactor or “two-step” authentication means using a device that requires a second security check before logging into your account – many websites use a text message containing a secondary login code.
Tips for creating secure passwords
Any hacking incident is a good reminder to maintain secure, hard-to-guess passwords. Here are some tips:
Stay away from easy-to-guess passwords like “1,2,3,4″ or “Password” and easy to guess identifiers like your dog’s name.
Passwords that use up to ten upper- and lower-case letters mixed with numbers are proven to be more secure – despite being hard to remember.
One tip is to construct a password from a sentence, mix in a few upper case letters and a number – for example, “There is no place like home,” would become “tiNOplh62.”
Numbers included in a password should never be something easy to guess based on the user. That means your age, the current year, or your address are not good choices. Similarly, the longer the password the better.
And remember, try not to use the same password for any two accounts.