Want to Up Your Online Security? Follow These Steps Now.

If you haven’t seen the recent reports of Mat Honan’s devastating hack, it’s a powerful tale and one worth reading in its entirety. It’s in part a cautionary tale about the current security practices of online services, but given that and other recent breaches, his situation raises bigger questions about what we can learn from the situation and how we can prepare ourselves moving forward.

There are two overarching messages we want LastPass users, and the web community at large, to take away from the story:

  • Proactiveness and preparation are key in mitigating risks of attacks, and
  • Protect your email account like your online life depends on it, because it pretty much does these days.

And a password manager like LastPass can help with both. Here’s how:

  1. Change the password for your email account(s), now. We have seen alarming statistics on the number of leaked passwords out there, including leaked email username and password combinations. A password generator like the one built into LastPass allows you to create unique, long, strong passwords for each of your online accounts. The LastPass security challenge can also help you identify any weak and duplicate passwords still lurking in your vault. One account’s password compromised = all accounts compromised that use that password, or that give access to the password reset functions for other accounts.
  2. Protect your email account(s) with multifactor authentication if possible. Google has increased efforts to encourage all Gmail users to set up multifactor authentication. If your email service offers the option, enable it as soon as possible. You’ll ensure that just knowing the password for your email account will not be enough to let someone in.
  3. Replace answers to “security questions” with obscure, non-personal responses. Truthfully answering security questions can put you at risk for social engineering. Use a password generator or create bogus answers that you can then store in a note in LastPass – if you do ever need to reference it, you’ll have access to the bogus answer, but you’ll ensure that your personal information can’t be used against you.
  4. Set up multifactor authentication for your LastPass account, now. By adding multifactor authentication to your LastPass account, you’re requiring another piece of secure data to be entered after you submit your master password, but before you can gain access to your stored data. So even if your master password is somehow captured, by a keylogger or even by someone you thought you could trust, you’ll keep them locked out because they won’t have that second piece of login data.
  5. Create a “security email address” for your LastPass account. Although protecting your primary email address(es) should be a high priority, you can set up an obscure email address to be used in the case of account recovery, multifactor authentication resets, and other critical changes to your LastPass account.
  6. Run the Security Challenge, and get proactive about your security fitness level. Located in the Tools menu of the LastPass addon, the Security Check allows you to keep an eye on weak and duplicate passwords, and reminds you of ways to improve your overall online security (such as #4 above). Take full advantage of LastPass security options, like autologoff on browser idle and restricting IP address to certain countries.

Remember, LastPass is just one tool you should have in your arsenal, but one that can help you be proactive and mitigate potential risks. You should also be following standard practices like avoiding the use of open WiFi, running up-to-date antivirus software, avoid using public computers, and always backup your data – but that’s a post for another day.

We highly recommend all LastPass users follow the above steps, and as soon as possible. We also call on your help in spreading the word about secure password management to family, friends, and coworkers who would benefit from the ability to achieve higher security standards while making their online life easier. If you want to recommend LastPass, you can do so here: https://lastpass.com/friendemail.php and receive Premium as a thank you!

The LastPass Team


  • sumit says:

    hello! what is a good way to store security questions and answers for our different accounts? pls suggest

  • Anonymous says:

    Why should I trust Google to be my 2FA? I can’t use Yubikeys because my work computer does not allow the use of USB drives, and Sesame continues to show up as a virus (or dangerous file) on all my computees with Symantec/Norton. That just leaves Google, and while I trust Lastpass to do this right thing, I do not trust a company that will take as much data from my hard drive as they can and target advertising (and other things) to me without asking. Google’s privacy record sucks thus far. So my question is – why should I trust Google as my 2FA?

    • Ronald Stepp says:

      Google is free, you seem to have no problem using their services without paying for them. Shouldn’t you cut them them a little slack?

    • Carley Brown says:

      This comment has been removed by the author.

    • Travis Brown says:

      With Google 2FA, google never have the key used for the lastpass 2FA. google uses the open OATH HOTP and TOTP algorithms for their 2FA, so you don’t even have to use the google authenticator app. You could use any application that will parse the QR code presented by lastpass. Additionally, google has open sourced their google authenticator apps so their is little they could do to circumvent the security.

    • Anonymous says:

      I use yubikey as my 2FA for LastPass. The Yubikey appears as a keyboard, not as a drive. Most lockdowns will still allow keyboards to be plugged in.

  • Hi
    I think you should set the automatic log out time to something like 30 minuttes as default. Right now, it is not set at all, which means people with computeres that are never turned off, might have a logged in account just standing there

  • csw says:

    Hey LastPass, more people will use multi-factor auth if it was sooo scary with Lastpass.

    Unlike Lastpass, Google multi-factor auth allows me to use “matrix” (like), google app, SMS with two phones, etc. to do my multi-factor auth. Lastpass I can only use one of these.

    Needs to be fixed ASAP.

    • Amber says:

      We do only allow one multifactor authentication method to be used at any given time with your account, but we offer a number of options so you can select one that will best meet your needs. We’d welcome any further feedback you may have on making multifactor more usable: https://lastpass.com/supportticket.php

    • csw says:

      @Amber thanks for confirming my understanding. It would be much better if Lastpass multi-factor auth worked like Google and we could use ALL of your options at the SAME time and not to have to select only ONE.

      Any idea when you guys will be able to improve LastPass so more people will protect themselves?

    • Amber says:

      Encouraging people to use even one multifactor authentication method, and spreading awareness of what it is to begin with, is the critical first step. Improving and adding features for users to protect themselves continues to be our primary focus.

  • gagy says:

    With many of us also using an iPad to access our email accounts, it becomes more difficult to keep up with security. Even Lastpass, who offers some apps for the iPad, does not seem to be able to provide foolproof security for this.
    What do you suggest we can do about this?

    • Amber says:

      If you want to be extra cautious, it’s advisable to logoff your email account when you’re done, whether using the browser or a standalone app. LastPass can help make logging back in easier, and it ensures that if your device is lost your email account(s) aren’t at risk.

  • PilotBob says:

    So, does multi-factor auth to lastpass needed when I just log into lastpass chrome extension, or is this only when logging into the last pass web site?

    • Amber says:

      Once enabled for your account, you will be prompted when logging in to your account in any location, whether the web vault or any browser addon. Only Google Auth and YubiKey NEO are currently supported on mobile devices, however.

    • PilotBob says:

      I have my lastpass set to logout after short inactivity or when the screen saver is on or when I lock the PC. This is very important for work… because while most people can’t log into my PC, the admins there have full auth to log in. So, while they have the keys to my PC, they don’t have the keys to my Lastpass account.

      So, I might log into Lastpass Chrome extension 5 1- 10 times a day, and needing a second factor would just be too much of a pain.

    • Anonymous says:

      Once you enable the 2nd factor authentication on your LastPass account, then you can establish any device as ‘trusted’. This means that you will only be prompted for your master password on that device (and not the 2nd factor). So… unless the bad guys get your device TOO, then you will be safe and secure.