DePaul University Newsline > Sections > Campus and Community > Tips for responding to LastPass password breach

Tips for responding to LastPass password breach

Characters running vertically on a computer screen
(Markus Spiske/Unsplash)

Recent news has highlighted multiple cybersecurity breaches affecting users of the LastPass password service. Information Services highly recommends that LastPass users take action to protect their passwords.

At a minimum, IS recommends that each LastPass user immediately change their master password and make sure that multi-factor authentication is enabled for the account.

When changing your master password, consider using a passphrase, which is easy to remember and difficult for hackers to crack, of 12 characters or longer.

A strong passphrase could involve using the first letter in a sentence or phrase that is easily remembered, such as "Bears fans remember 1985 fondly but worry about the future of the team." This can be translated to a passphrase of "Bfr1985fbwatfott," which contains 16 characters, including lowercase letters, uppercase letters and numbers.

To learn more about passwords, watch this series of cybersecurity videos including "Passwords and Authentication."

In some circumstances, changing your master password and enabling multi-factor authentication may not be a strong enough response to this breach. Backup copies of password vaults were stolen, and an encrypted copy could be accessed if a hacker cracked its master password.

The makeup and length of the master password will determine whether a backup copy of your vault can be easily accessed. For example, if your master password was only a 4-character PIN — something like "1234" — both the short length and the easy-to-guess sequence likely puts your vault and all passwords it contains at risk.

If you suspect that this may be the case, you may want to consider changing not only your master password but all the passwords within your vault, using either the passphrase approach described above or using LastPass's Generate Secure Password option.

Do not reuse passwords between websites; if one site gets compromised, that puts other sites using the same password at risk.