One of the first steps to your WordPress security is using a strong password for your WordPress blogs. In addition, you must also use strong passwords anywhere else you log-in online, including your gmail, Twitter, Facebook, bank, PayPal etc.
Your passwords need to be unique (never use the same one twice), long (I suggest no less than 14 characters), never use names or words in the dictionary, and include a combination of upper and lowercase letters, numbers and symbols.
And change your passwords often. You don't want your WordPress site hacked into because you've had the same password for the last 2 years and it's easy.
But how the heck are you supposed to remember your monster passwords?
My passwords are so long and ugly, there's no way I can even write them on a piece of paper without the fear of getting them wrong. So I save them on an external storage device and remove it from my PC immediately after logging in. And I use two different Password Management tools too, *RoboForm and *LastPass.
The ease of only having to remember one Master Password makes it super easy to generate unique, strong passwords and manage them with these password tools. Going to my site or email and log-in using them is CLICK… CLICK… DONE.
But online tools CAN put you at risk. Even those these tools use military-grade password encryption, no system is fault-proof.
On May 3, 2011, there was a security incident reported by LastPass. Their site states:
We have reason to believe that LastPass user account information may have been accessed due to an illegal intrusion into our network. Despite not having definitive proof of this, we are erring on the side of caution and alerting you on how to safeguard your data.
While there is no direct evidence that any confidential customer data was taken, we cannot rule out that possibility.
Assuming the worst case scenario, only LastPass login account credentials – email addresses, encrypted* LastPass master passwords, and encrypted* password hints – may have been leaked. Actual user account encrypted data was not taken, including: site usernames, site passwords, form fill data, billing information, etc.
On May 10, 2011, I received this Security Notification email from LastPass:
Dear LastPass User,
On May 3rd, we discovered suspicious network activity on the LastPass internal network. After investigating, we determined that it was possible that a limited amount of data was accessed. All LastPass accounts were quickly locked down, preventing access from unknown locations. We then announced our findings and course of action on our blog and spoke with the media.
As you know, LastPass does not have access to your master password or your confidential data. To further secure your account, LastPass now requires you to verify your identity when logging in. You will be prompted to validate your email if you try to log in from a new location. This prompt will continue to appear until you change your master password or indicate that you are comfortable with the strength of your master password.
Please visit https://lastpass.com/status for more information.
The LastPass Team
You can also read the interview PCWorld did with the CEO of LastPass, Joe Siegrist here.
I've reviewed their status updates and blog post regarding this incident and I feel confident they put extra security measures in place, but it would of been nice to receive this information earlier than 7 days after it happened. Luckily, I'm subscribed to threatpost and heard about it right away.
If your using LastPass, what should you do now?
I strongly suggest you log-in to LastPass right now and change your Master Password AND your Master Password Hint. Then, you should change your WordPress passwords just in case.
I'm personally going to go in and change all my stored data just to be safe.
Will I continue to use LastPass?
At the moment, I feel okay about staying with them. Because they immediately locked things down and added some additional security that gives me a better feeling about it. However, I'm going to monitor their status closely.
Leave Your Feedback
Do you use LastPass? And if so, how do you feel about continuing to use their service? Have you had any bad experiences with online password management tools? Or which ones make you feel safe to store your passwords? Leave your comment below.
* Denotes our Affiliate Links. If you a make a purchase through these link, we may receive a commission.