Time to Change Every Password

It’s official: 2016 is the “Year of the Password Reset.” Just when we thought the headlines of big data breaches couldn’t get any worse, news broke yesterday that more than half a billion Yahoo accounts were impacted by a breach in 2014. But we’re here to say: Changing your Yahoo password today just isn’t enough.

Let’s put the Yahoo breach into perspective: That’s like Facebook saying that half of all its users had their account information stolen. This will likely go down in the books as the biggest cybersecurity breach in history.

As if that weren’t frightening enough, the Yahoo breach follows on the heels of other massive breaches just this year: Incidents at Dropbox, LinkedIn, and MySpace affected hundreds of millions of people.

Awful? Yes. But the damage doesn’t stop there. When these massive lists of usernames and passwords are leaked on the web, it’s fuel for attackers to hack people’s accounts on other, even more lucrative, websites. All they have to do is use the same usernames and passwords, and try them on other popular websites to find a match, and voila, they’re in.

That means anyone who made the mistake of using the same password on more than one website can now be hacked. With the supercomputers available today, testing for matches to those passwords is trivial for these attackers. And because so many people still reuse passwords, the payoff is more than worth it. So now it’s not just your Yahoo password or your Dropbox password that’s out there – every website where you used the same or similar password is also out there for the taking.

It’s no longer good enough to just change your Yahoo password. You need to do more to protect yourself. Can you say yes to all of these?

  • You’re using a password manager like LastPass.
  • You do not use the same password on ANY two websites or apps.
  • All of your passwords have been changed within the last year, and
  • You’ve updated your Yahoo password to another strong, random password.

If yes, you’re a password rockstar. If not, here’s what we all should be doing to take control of our online security:

Sign up for a password manager.

If you’re already using LastPass, collect $200, pass Go, and skip to the next step. But if you’re not using a password manager, today is the day to sign up. For most of us, it’s a herculean task to keep our passwords organized, while creating strong passwords that are different for every account, and remembering them all on a daily basis. A password manager does all that for you, making your passwords easy to get to every day, and more. Plus, it locks everything down with the best encryption available. So sign up now, and get all your passwords added to your vault – you can even import the passwords you’ve got stored in your browser.

Run the Security Challenge.

This is where you really put your password manager to work for you. If you’ve been using LastPass for a while, you already know how much time and hassle it saves you in dealing with passwords. But to really use your password manager to maximize your security, you need to use it to generate a different, strong password for every account. And the best way to audit your passwords is to launch the LastPass Security Challenge. It not only tells you how many passwords you have in your vault, it shows you which ones are weak, old, reused, and even which websites you use have been compromised. That’s why you want to do this before you change your Yahoo password – so you know if you’ve used the same password you did for Yahoo on any other website, and you can prioritize changing those passwords, too.

Now, change your Yahoo password.

Login to your Yahoo account, and use the LastPass password generator to create a new password. Save the new password to LastPass, and submit it to your Yahoo account, and you’re done. Who said creating 20-character passwords had to be hard?

Now go change all your other passwords.

After each new breach, we as consumers run around changing this password or that one, which can be a hassle and quite time-consuming. After you’ve figured out where you’ve reused passwords using the LastPass Security Challenge, there are a few ways LastPass will help you simplify the process of changing your passwords. First, on many websites LastPass can automatically change the password for you with Auto-Password Change. Choose this option where available and LastPass will do the work of changing the password in the background. On any other website, use the LastPass password generator to create the strongest password you can, and save the changes to your LastPass vault as you also submit the change on the website.

Don’t forget about the security questions.

Websites often ask you to add answers to special security questions, with the intention of adding extra security to your account. Unfortunately, they are typically terrible for security because the information isn’t encrypted, and the answers are often easy to find with a few quick searches on the web. Just use the password generator to create bogus answers to security questions. Save the answers as a “Note” in the site entry in your vault, so your mother’s maiden name looks like: sPEcTOpeRoseNctuLAte.

So remember, the best thing you can do today to thwart hackers after big breaches like the Yahoo one is to never reuse a password, and always create a strong, unique password for every website and app you use. Once you’ve followed our steps, you’ll be that much more prepared when (not if) the next popular website is breached. You’ll only need to change one password, and won’t have to waste time worrying about whether any of your other online accounts are at risk, too. There is no time like the present to make sure you improve your password security across accounts.


  • Angela de Melo says:

    I am confused. I cant remember the passwords used whether in yahoo or google. I have also made a mixture with my names,as angie and angela. Now i cant remember. I was sick fo six months,thats the time it all happened. I just dont know how to get out of this mesd.

    • Amber Gott says:

      Hi Angela, if you’re having trouble with LastPass be sure to review our help articles: helpdesk.lastpass.com and if you still have questions please get in touch with our support team at https://lastpass.com/supportticket.php – be sure to include as much detail as possible about steps you’ve tried and the problems you’ve encountered. Thanks!

  • Prasad says:

    Can we talk about the lastpass hack from last year? I am an ardent lasspass user for over last 5 years now, have a fairly solid master password and use best practices to some extent. But it is always scary that the weakest link could be someone breaking into my lastpass vault. I understand that only encrypted data is stored on lastpass servers, but how sure are we that the methods are fool proof?

    • Amber Gott says:

      Hi Prasad, I think this Ars Technica article gives a balanced perspective of this: arstechnica.com/security/2015/06/hack-of-cloud-based-lastpass-exposes-encrypted-master-passwords/

      We have built LastPass precisely with that scenario in mind – we don’t store master passwords, so we don’t have the key to your account. So if the worst were to happen, hackers won’t be able to make use of the data. Security is our foundation, but it’s also a constantly-evolving aspect of our service as we work to stay ahead of the game.

  • Simon says:

    Did 2fa (second factor authentication) provide any protection in this yahoo security breach? No one is saying anything about this. Is it safe to rely on 2fa not changing your email password for several years?

    • Amber Gott says:

      I haven’t seen any specific mentions of two-factor being affected, but they did say that telephone numbers were stolen. It’s not clear if that’s separate from the telephone numbers that are used as the Yahoo Account Key. The benefit of two-factor is that even if the password were stolen, the attackers would still need to complete the extra login step before they could compromise an account. It’s always a good idea to turn it on, but following safe password practices is still helpful. So if it’s been a few years since you changed your password, even if it was a good one, now’s a great time to change it.

  • Marian says:

    Thanks. Will post to my social media accounts, as I did with the iPad Scam story.