What the Password Manager LastPass Breach Means to You

Craig Pollack | Jun 16, 2015

Topics: Cybersecurity


LastPass is the password management solution billed as "The Last Password You'll Ever Need." Well, this is a hard promise to keep when your response to being breached is to ask all of your customers to change their passwords.  That's right folks, LastPass is the latest cloud offering to be hacked.  They just announced this last night.

While they say all of the information that was accessed was encrypted and there's no way for the perpetrators to access the stored passwords, you still have to wonder. Here's a few lines from their most recent blog post:

"The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised."


"We are confident that our encryption measures are sufficient to protect the vast majority of users."

I don't know about you, but this doesn't give me a complete sense of security or comfort - "vast majority of users"? Sure seems like some legalese instead of just saying "all users".  There must be a reason for this.

If you're using LastPass, here's a link to their Security Notice detailing their recommendations. Their short answer is change your master password.

While in theory, password management systems like LastPass has always seemed like a good idea and they've always intrigued me. But I've never been able to get past the "what if" of when they're breached. So now that one has, now what?

Here are a couple of suggestions for password management:

  • First, never put your most sensitive passwords into any password manager. That means passwords to your banks, online trading accounts, and any other websites that aren’t worth exposing to any increased risk.
  • Wherever possible, enable two factor authorization. This is where you enter a username and password into a website, and then a unique code is sent to your mobile phone to complete the login process. 

Call me old school, but personally, I'm hesitent to store anything as important as passwords someplace I can't touch.



Craig Pollack

Craig Pollack

Craig is the Founder & CEO of FPA Technology Services, Inc. Craig provides the strategy and direction for FPA, ensuring its clients, business owners, and key decision makers leverage technology as efficiently and effectively as possible. With over 25 years of experience building the preeminent IT Service Provider in the Southern California area, Craig is one of the area’s leading authorities on how small to mid-sized businesses can best secure and leverage their technology to achieve their business objectives.