Note: When something like a password database compromise happens, it's a good time to reassess. Using LastPass, I could reset my Lifehacker password, and all others like it, in three minutes, from a train. Here's how to do that.
Portions of this post originally ran in a previously published Intermediate Guide to Mastering Passwords with LastPass. We thought it was a good time to jump back into top-level password control and password changes.
The LastPass browser extension is a free password manager that securely stores, generates and audits your passwords. You can learn more about LastPass here, or head to the LastPass home page. Here's how to use it to hunt down passwords you're using across various sites, as well as to generate new, more secure passwords.
Update: Reader Rufo informs us that 1Password offers a possibly more direct means of searching out a password you used and finding where else you have it registered. We recommend you do that any password you believe has been compromised.
Step 1: Install LastPass, and Let It Save Your Passwords
The first time you install LastPass, it will, at some point in the setup wizard, prompt you to import saved passwords from your browser. Assuming you've been allowing your browser to save your passwords, let LastPass import all of these passwords.
Note: Many of you are understandably wary of handing over all your passwords to a third-party service. Under the circumstances, we can't blame you. Take a look at LastPass' security page and security FAQ for a better idea of how the service works.
Step 2: Audit and Update Your Passwords
If you give LastPass permission to run through your passwords, the app can run a "security challenge" and show you which passwords are decent, which are pretty much asking to be hacked, and provide direct links to where you can fix them. Most importantly right now, you'll want to update the password on sites which shared your Gawker Media password (if you had a password for the US Gawker sites). So click the LastPass button in your browser, then click on Tools > Security Check. (Or just go here.) Click the Start the Challenge button to get started.
LastPass will now scan all your saved passwords in a few seconds. When it's complete, you'll see a report detailing all your analysed sites, sorted by duplicate passwords. The most important thing is to find the password you used at the compromised site and see where else you used it. If you also used that password for Gmail, Twitter, Facebook or elsewhere, for example, anyone with your username can give it a try. Change that password anywhere you used it. Click the Show All Passwords link on the top right of the Analyzed Sites table, then find the sites that used the same password as you used here. Those are the ones you want to change first.
Point your browser to each site where you'd used this password and find its password update tool. One of LastPass' built-in features detects password changes forms. In other words, if you log into a website and change your password, it notices a field asking for your current password, but also asking for another password. LastPass can do one of two things here: It can help you generate a secure password, using rules and defaults of your choice (recommended — just click on LastPass, then select Tools > Generate Secure Password), or it can simply watch you type in your new password. Either way, once you update your password, LastPass will offer to update it in the LastPass database.
If you let LastPass help you generate your new secure password, you'll find it's very good at fitting exactly the parameters you need and still offering some very random characters to fill in. So go ahead and change the crucial password first, then move on to an audit. You may be prompted to change your password on a few other sites that match that username and login. This is a good, time-saving thing.
Step 3: Second-Level Security Updates
After you've changed your password, you may want to take some other security measures too. Open up your LastPass vault (click LastPass > My LastPass Vault), then type the username you used for that compromised account, to catch any other sites where you may have used a too-similar user/pass combo.
Finally, there's a painful lesson to be learned this fiasco: don't use weak passwords, don't use the same passwords across different sites, and don't let your friends or relatives do as such either. We're keenly aware of just how much frustration this is causing, but some of it can hopefully be channelled into a better chance at leaving us all better protected in the future.