How to change your LastPass password in wake of site hack

Those of you who use the popular password manager should considering changing your master password following a data breach. Here are the steps.

Lance Whitney Contributing Writer
Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.
Lance Whitney
3 min read

LastPass users with weak master passwords should change them following the recent data breach. Screenshot by Lance Whitney/CNET

LastPass users are advised to change their master password in the wake of a recent hack attack, especially if that master password is weaker than it should be.

On Monday, LastPass disclosed that it was the victim of a hack that compromised email addresses, password reminders and other information. However, the hackers were not able to access the actual accounts where users store their website passwords, the company said. LastPass uses encryption to secure passwords so they can only be read on your indivdual Web browser.

As a password manager, LastPass can generate passwords for each of the protected websites you use. Plugged in your browser, the software can then automatically fill in the proper password for each site, saving you the effort of having to remember and manually enter the password for the scores of sites you potentially use.

To protect and access all your passwords, LastPass requires you to set up a single master password. But what if someone obtains that master password? Though the master passwords themselves are secured with a high level of encryption and were untouched in the data breach, the hackers gained access to the clues, or reminders, used to remember those passwords. As such, the right clue could help a hacker potentially guess your master password, especially if you've used one that's particularly easy to guess.

"If you've used a weak, dictionary-based master password (eg: robert1, mustang, 123456799, password1!), or if you used your master password as the password for other websites you need to update it," LastPass CEO Joe Siegrist said in a blog post Monday.

Okay, so how do you change your master password, and are there further steps you can take to lock down your account? Let's tackle that first question.

Changing your master password

  • First, log in to the LastPass website with your username and password.
  • After logging in, you'll see a LastPass page with a left sidebar menu of various options. Select the option for Account Settings.
  • In the Account Settings page, look at the section for Login Credentials and click the button to Change Master Password.
  • At the Password Reset form, type your current (old) password. Type your new master password, then type it again for confirmation. Finally, type a password reminder that can help you remember your master password should you ever forget it.

Your master password should be as strong as possible to make it difficult to crack. For example, you can use a combination of alphanumeric characters with both uppercase and lowercase text. You may also want to throw in non-alphanumeric characters, including underscores or dashes. You can also use a single lengthy phrase that may be easier to remember, such as MyCatLikesToSnuggleOnMyLap. As you type your master password, LastPass visually shows you its relative strength or weakness.

  • Click the button to Save Master Password.
  • Assuming all went well, LastPass congratulates your for changing your password and offers a link for you to log back in with your new password.
  • Log in with the new password to confirm that it's working.
  • You should receive an email from LastPass confirming that your password was changed.

As Siegrist said in his blog, if you used your LastPass password on any other websites, you may want to change those as well.

Setting up multifactor authentication

Beyond using a strong master password, are there other measures you can take to better secure your LastPass data? Yes, you can set up multifactor authentication. Such authentication requires an additional mode of verification in order to access your account information. Here's how that works:

  • Return to the LastPass Account Settings page and click the link at the top for Multifactor Options.
  • Here you can choose from a number of multifactor options both for free and premium accounts.
  • For example, you could use the Google Authenticator to send a one-time verification code to your smartphone, which you would then type at the LastPass website to access your account.
  • Click the method of authentication you wish to use and follow the instructions to set it up.

"We ALWAYS suggest using multifactor authentication for added security," a LastPass spokeswoman said in an email. "And it goes without saying that we encourage folks to create strong, unique master passwords."

At this point, LastPass is also requiring users to verify their account by email when logging in from an unknown IP address or device.