Last week, I received a notice from LastPass (a company that promises to secure all your passwords in one place) that said hackers were able to “copy a backup of customer vault data,” meaning they theoretically now have access to all of those passwords if they could crack the stolen vaults. I offered this advice: if you have a super long and strong master password, you’re probably fine. But if you don’t (and even if you do), it’s time to change all of the passwords you’ve used LastPass to protect.
My advice was correct. Every LastPass user should (at minimum) change their master passwords.
Yesterday, I read a compelling piece of content marketing by Jeffrey Goldberg: “Not in a million years: It can take far less to crack a LastPass password.” It explains the subtle differences between the methodologies used by LastPass and 1Password (the competitor who wrote the article). It’s worth a read.
This morning, it seems that several researchers are questioning LastPass’s claims about the threat levels created by the stolen vaults.
As interesting as all of this is, the simplest fix is to make sure that all of your master passwords are long and strong. The longer the password, the better. The more random the distribution of alphanumeric characters and symbols, the better. If your password is 18 characters long and contains numbers, upper and lower case letters, and symbols, it will take current technology an estimated 438 trillion years to crack it.
For comparison, according to Hive Systems, using that technique (numbers, upper and lower case letters, and symbols), a nine character password would take three weeks to crack. 10 characters, about five months. 11 characters, 34 years. 12 characters, 3,000 years.
Always create long strong passwords.
Author’s note: This is not a sponsored post. I am the author of this article and it expresses my own opinions. I am not, nor is my company, receiving compensation for it.