Stop using the same key for every lock!

Would you use the same key for every lock in your life? Would you hand that key out to every company you ever interact with? Now imagine that making copies of keys are free and instantaneous, storage of the keys with nearly every company is unsafe, and the keys can be used remotely even from other countries. Do you see the insanity of reusing passwords yet? Friends don’t let friends reuse passwords. 

In the past week LastPass disabled nearly a thousand LastPass accounts due to users reusing their LastPass master password with Yahoo Voices and Billabong, both of which were hacked and had public releases of username and the associated passwords. 

All the disabled users broke all rules for protecting themselves, the three most important being:

  1. Never use your LastPass master password for any site or purpose.  Your master password is very important.  Treat it as such.
  2. Use LastPass to generate random passwords for every site you use. That way when these sites are hacked you get to laugh about it instead of stress and scramble. LastPass provides a security check to help you validate this.
  3. Utilize the (free) multifactor security options LastPass provides.
We know it’s tempting to reuse passwords, that’s why we built LastPass. Using LastPass you can get the convenience of a single password (your LastPass master password) without the security problems created when you actually reuse passwords.

Multifactor is your second line of defense, it allows your master password to be compromised without your account being compromised. LastPass provides two free and four Premium options. You can also trust your devices and your computers so you’re only prompted for them when you use a new computer.  This allows the convenience you love with the security on top. We’d recommend Google Authenticator (free) or Yubikey (Premium).

While LastPass is doing its best to protect people when we see these public releases, there are many more sites that are hacked that aren’t exposed. If you’re reusing passwords invest a few hours today to prevent days of heart ache when the next site is hacked.  

Reusing passwords?  Not even once.

42 Comments

  • Many of us have a single signon at work and must use the same pass for several sites. How could I use LastPass for this?

  • Masud Ali says:

    Wow amazing article.Multifactor is your second line of defense, it allows your master password to be compromised without your account being compromised. LastPass provides two free and four premium options.

  • John says:

    It surprise and shocks me how many people are happy to divulge their passwords if you simply ask for it. People should treat their passwords like PIN numbers and not divulge them to anyone.

  • Anonymous says:

    I just installed lastpass in mozille and …

    All my already stored passwords were gone.

    Thanks very much, how do i follow on now,
    no password, no way to get to de different sites,….

  • Spencer says:

    I am a firm believer in using the same key for every lock! I can’t keep up with all those other keys and what if I lose it? Now at least I only have to get one key remade…

  • Antonie says:

    Let me pose a challenging question – to my understanding, lastpass encrypts information on local machine and cannot unlock master password, right?
    Respectfully, how on earth can accounts then be disabled given that master password was used elsewhere, yes, I appreciate the security lastpass offers, but this leads to the question?

    • Joe Siegrist says:

      @Antoine — LastPass stores a “Login Hash” against your account to verify you’ve entered the correct username + password to allow download of your encrypted data. This Login Hash is created by doing X (typically 500) rounds of PBKDF2-SHA2, then what LastPass stores is further salted and PBKDF2-SHA2 hashed many more times.

      What we’re doing here is taking the usernames and passwords that were released, running through the same (expensive) algorithms to come up with a login hash, if the login hash matches your account’s actual login hash, it means you used the same password and we lock your account.

      If you use a solid password you’re certainly safe, everyone impacted here used the same password on multiple sites — while LastPass is safe from brute forcing most websites are not.

    • Antonie says:

      @Joe, Thanks for response, makes sense and much appreciated.