When something like a password database compromise happens, it's a good time to reassess your online security. With the right tool, I've reset all of my passwords in 3 minutes, from a train. Here's how.
This post originally appeared when Gawker Media's password database was compromised, but as these breaches become more and more popular, we've turned this into an evergreen resource for anyone who's been subject to one.
When a service gets hacked, you don't just need to change that password—you need to change your password on any service that uses that same password, or something like it. This is why we highly recommend using a password manager like LastPass—it's the only way to create truly unique passwords on every service you use. LastPass securely stores, generates, and audits your passwords. You can learn more about LastPass in our beginner's guide, as well as our intermediate guide for more advanced tricks. Here's how to use it to hunt down passwords you're using across various sites, as well as to generate new, more secure passwords.
Step 1: Install LastPass, and Let It Save Your Passwords
The first time you install LastPass, it will, at some point in the setup wizard, prompt you to import saved passwords from your browser. Assuming you've been allowing your browser to save your passwords, let LastPass import all of these passwords.
Note: Many of you are understandably wary of handing over all your passwords to a third party service. Under the circumstances, we can't blame you. Take a look at LastPass' security page and security FAQ for a better idea of how the service works.
Step 2: Audit and Update Your Passwords
If you give LastPass permission to run through your passwords, the app can run a "security challenge" and show you which passwords are decent, which are pretty much asking to be hacked, and provide direct links to where you can fix them. Most importantly right now, you'll want to update the password on sites which shared your Gawker Media password. So click the LastPass button in your browser, then click on Tools > Security Check. (Or just go here.) Click the Start the Challenge button to get started.
LastPass will now scan all your saved passwords in a few seconds. When it's complete, you'll see a report detailing all your analyzed sites, sorted by duplicate passwords. The most important thing is to find the password you used at the compromised site and see where else you used it. If you also used that password for Gmail, Twitter, Facebook, or elsewhere, for example, anyone with your username can give it a try and get access to those accounts too. Change that password anywhere you used it. Click the Show All Passwords link on the top right of the Analyzed Sites table, then find the sites that used the same password as you used here. Those are the ones you want to change first.
Point your browser to each site where you'd used this password and find its password update tool. One of LastPass' built-in features detects password changes forms. In other words, if you log into a web site and change your password, it notices a field asking for your current password, but also asking for another password. LastPass can do one of two things here: It can help you generate a secure password, using rules and defaults of your choice (recommended—just click on LastPass, then select Tools > Generate Secure Password), or it can simply watch you type in your new password. Either way, once you update your password, LastPass will offer to update it in the LastPass database.
If you let LastPass help you generate your new secure password, you'll find it's very good at fitting exactly the parameters you need and still offering some very random characters to fill in. So go ahead and change the crucial password first, then move on to an audit. You may be prompted to change your password on a few other sites that match that username and login—in the case of Gawker Media's own database compromise, you'll probably be asked to save the new password for Gizmodo, Gawker, Lifehacker—anywhere you comment with your username. This is a good, time-saving thing.
Step 3: Second-Level Security Updates
After you've changed your password here at the compromised site and other sites that had used the same password, you may want to take some other security measures, too. Open up your LastPass vault (click LastPass > My LastPass Vault), then type the username you used for that compromised account, to catch any other sites where you may have used a too-similar user/pass combo.
Finally, there's a painful lesson to be learned from these fiascos: Don't use weak passwords, don't use the same passwords across different sites, and don't let your friends or relatives do as such either.