As you may have recently spotted in the media, one of the most popular password managers has recently been compromised, Last Pass reported a security breach which involved attackers getting into the system where it keeps the source code of its software – and understandably this has prompted a few questions around the safety of using password managers at all?
First of all, let’s cover the technical bit, in this particular incident the hackers weren’t able to get at any personal data, that’s because it’s not stored on LastPass’s servers in a usable form anyway. This is important to understand: password managers don’t work by keeping exact copies of all your passwords – for the exact reason that they can be extracted by attackers. Passwords are stored in an encrypted database that is only ever decrypted after being transferred to your device and usually after you’ve provided your master password with some additional layer of two-factor authentication. No passwords in your password manager are ever stored in a directly usable form and your master password should not be stored at all.
This particular attack hasn’t exploited any vulnerability of LastPass software by which encrypted passwords can be attacked nor does it involve the theft of any ‘real life’ customer information. What the hackers actually accessed was source code which is nothing to do with where passwords are stored.
So should you be using a password manager?
Yes. Here’s three reasons why:
It makes password security simpler: Remembering the number of individual secure passwords for every platform, app or site we use is just not realistic which is why people end up using the same password, over and over again despite all of the advice against this practice. A password manager helps you to create secure passwords and store them with one super strong password usually reinforced with two-factor authentication.
You can’t use the same password twice: A good password manager just will not let you do this and there’s good reason if one of your passwords is compromised, then that’s only an issue at the site where you use it – unless you’ve got the same password everywhere and then you’ve got problems. Password managers stop you from doing this, by helping you to choose and create random and unguessable passwords every time.
You can’t fall victim to phishing: If you’ve clicked on a dodgy link and you try to put your password in, your password manager knows you’re not at the right site, you can enter your password but it will prevent you going any further and help protect you from entering information into bogus sites or apps.
But if it can get hacked isn’t it still a risk to store passwords there?
Reality check, nothing is ever 100% safe and the protection of using a password manager far outweighs any risks. your password manager couldn’t reveal your passwords if they wanted to, they don’t have your master password or any other passwords in any database from which could extract them without your agreement. They’re never decrypted unless it’s on your device, so you can trust your password manager to keep your passwords safe – even if they get hacked.