One of the first steps to your WordPress security is using a strong password for your WordPress blogs. In addition, you must also use strong passwords anywhere else you log-in online, including your gmail, Twitter, Facebook, bank, PayPal etc.
Your passwords need to be unique (never use the same one twice), long (I suggest no less than 14 characters), never use names or words in the dictionary, and include a combination of upper and lowercase letters, numbers and symbols.
And change your passwords often. You don't want your WordPress site hacked into because you've had the same password for the last 2 years and it's easy.
But how the heck are you supposed to remember your monster passwords?
My passwords are so long and ugly, there's no way I can even write them on a piece of paper without the fear of getting them wrong. So I save them on an external storage device and remove it from my PC immediately after logging in. And I use two different Password Management tools too, *RoboForm and *LastPass.
The ease of only having to remember one Master Password makes it super easy to generate unique, strong passwords and manage them with these password tools. Going to my site or email and log-in using them is CLICK… CLICK… DONE.
But online tools CAN put you at risk. Even those these tools use military-grade password encryption, no system is fault-proof.
On May 3, 2011, there was a security incident reported by LastPass. Their site states:
We have reason to believe that LastPass user account information may have been accessed due to an illegal intrusion into our network. Despite not having definitive proof of this, we are erring on the side of caution and alerting you on how to safeguard your data.
While there is no direct evidence that any confidential customer data was taken, we cannot rule out that possibility.
—
Assuming the worst case scenario, only LastPass login account credentials – email addresses, encrypted* LastPass master passwords, and encrypted* password hints – may have been leaked. Actual user account encrypted data was not taken, including: site usernames, site passwords, form fill data, billing information, etc.
On May 10, 2011, I received this Security Notification email from LastPass:
Dear LastPass User,
On May 3rd, we discovered suspicious network activity on the LastPass internal network. After investigating, we determined that it was possible that a limited amount of data was accessed. All LastPass accounts were quickly locked down, preventing access from unknown locations. We then announced our findings and course of action on our blog and spoke with the media.
As you know, LastPass does not have access to your master password or your confidential data. To further secure your account, LastPass now requires you to verify your identity when logging in. You will be prompted to validate your email if you try to log in from a new location. This prompt will continue to appear until you change your master password or indicate that you are comfortable with the strength of your master password.
Please visit https://lastpass.com/status for more information.
Thanks,
The LastPass Team
You can also read the interview PCWorld did with the CEO of LastPass, Joe Siegrist here.
I've reviewed their status updates and blog post regarding this incident and I feel confident they put extra security measures in place, but it would of been nice to receive this information earlier than 7 days after it happened. Luckily, I'm subscribed to threatpost and heard about it right away.
If your using LastPass, what should you do now?
I strongly suggest you log-in to LastPass right now and change your Master Password AND your Master Password Hint. Then, you should change your WordPress passwords just in case.
I'm personally going to go in and change all my stored data just to be safe.
Will I continue to use LastPass?
At the moment, I feel okay about staying with them. Because they immediately locked things down and added some additional security that gives me a better feeling about it. However, I'm going to monitor their status closely.
Leave Your Feedback
Do you use LastPass? And if so, how do you feel about continuing to use their service? Have you had any bad experiences with online password management tools? Or which ones make you feel safe to store your passwords? Leave your comment below.
Securely yours,
Regina Smola
WordPress Security Expert
Follow me on Twitter
Follow WPSecurityLock on Twitter
Become a Facebook Fan
* Denotes our Affiliate Links. If you a make a purchase through these link, we may receive a commission.
Thanks for the heads-up Regina. I use Roboform myself – and so far, not had any issues at all.
Hi Traci,
You’re welcome. I have a RoboForm account too. I really like the interface and the ease of password management. I like the Encrypted Safenotes and save contacts features too in the Pro version.
I too use RoboForm. Can only hope we never get a notice like this one from RoboForm.
Hi Ed,
I agree! It’s like cops and robbers. The cops always have to try to outsmart the robbers.
~ Regina
I keep everything in my head. It’s the safest place ever. And yes, I have hundreds of them. I use a technique that allows me to know which password to use depending on the site, and how to transform my master pass into what I used at any given site.
It works pretty well, but unfortunately I’m not able to share the technique with anyone. I think it’s obvious why. 🙂
Good stuff, Regina. Thanks for keeping us posted on these matters!
Regina,
Thanks for the information. The potential for hacker access to one major password has concerned me ever since I learned about these types of password storage tools. However, it is somewhat comforting to know that at least, as far as they know, there was no personal data breach.
I considered whether or not to discontinue using this type software. But as you mentioned, I realized that it is just not realistic to be able to store all those “ugly” passwords on little sticky notes, or to put them in a spreadsheet or write them down in a notebook and carry them around everywhere (only to potentially be misplaced or stolen), or to try and remember 100+ passwords. In addition, it is much more convenient to simply let the tool access and open any of my websites no matter where I am.
So all things considered I will continue to use them, but with more caution, changing my passwords more often and being more cautious.
Keep up the great work to help keep us all safe online!
Sheri
Like other commenter s I use Roboform, Am still getting used to it. I envy Wayne, John and sincerely hope he never has a memory lapse or serious head injury
I got one of those notices from last pass. I changed my master log in, Do you think I should change all my passwords stored there?
Hi Valerie,
Good question. According to LastPass, they store passwords were not breached. However, I feel more comfortable changing mine, and it’s always a good idea to do it once ever few months anyways.
~ Regina
Hello,
I read about this the other day. Thank god I’m not using it. I rather have all my passwords stored on a flash drive using “Sticky Password”. They have a version of it that runs on your flash drive, and it has a autofill plugin that will log you in to any website.
It not perfect, it has some issue logging into some websites, but I do love this great little app.
The best thing is that you can pick the level of encryption that you want to use.
Regards,
Daniel Fenn
That is true, I use Sticky Password too, I am secured, my passwords are stored locally and I am all safe and ok.
I use desktop version of RoboForm myself at the moment. And I have the PWs locked down with a fingerprint reader. But the finger print reader software doesn’t work well with either IE9 or Firefox, so i find myself having to retype the encryption PW all the time.
I have seen an online service called PassPack. Does anyone have any experience with them, good or bad?
I’d appreciate feedback.
Regina you always find such great information! I love the fact that you take the time to share it. I too use Roboform and I absolutely love it! I had a coach once who told me just to use an excel spreadsheet, I have since heard that he has been hacked a number of times.
I feel much more confident about my websites now that I follow your advice. Thanks for being there and giving me such great peace of mind.
I too have some of those super long and ugly passwords, thanks again to you!
What do you think about roboform? I heard many positive comments. Which is the best free password storing tool?
Hi Matthew,
I love Roboform. The security is great and keeps my passwords organized. I also like LastPass.