If you follow the news, or if you use the LastPass password manager, you will no doubt be aware that LastPass was hacked this month, and it is not the first time that has happened at LastPass, as it was also hacked back in 2015. If password managers can be hacked, you may be asking yourself questions such as what happens if my password manager is hacked? Should I be using a password manager? Do I need to change all my passwords? These are all perfectly reasonable questions that it is worth addressing in light of the recent news.
It is important to clarify a few points about the recent LastPass hacking incident. LastPass said the latest hack only affected its development environment, and users’ passwords were not accessed. Data was stolen, but the theft was limited to source code and some technical documentation. LastPass did not perform a password reset for users’ passwords, so the company is confident that no passwords have been breached.
Should I use a password manager?
If you use a password manager, all of your passwords are stored in one place, so if the password manager is hacked, all of your passwords could potentially be stolen. Password managers encrypt users’ passwords and store them securely in a password vault. The vault can only be accessed (and decrypted) if the user supplies their master password. That also means that if a password manager is hacked, the hacker will only be able to access encrypted passwords. While it may be possible to decrypt those passwords, if the hacker can insert themselves into the decryption process (through malware for instance) it is likely to be a long process, which would give users plenty of time to log in and set a new password. The password management company would also perform a password reset for all affected accounts to prevent any breached passwords from being used.
The problem if you don’t use a password manager, is it is likely that you will take shortcuts with your passwords as it is virtually impossible to set a long, complex, unique password for every account you need to secure and remember them. That means in practice that passwords for different accounts are often not unique, are weak to make them easy to remember, or change very little from platform to platform. You may even store them on your computer in a non-encrypted vault or write them down. All of these shortcuts carry a much greater risk than your password manager being hacked.
Further, there are steps you can take to reduce risk and the harm that can be caused in the event of a password manager being hacked. The first step is to set a complex, very strong password as your master password. A passphrase of more than 12 characters is recommended. A passphrase will be easy to remember, yet difficult to crack. Secondly, set up multifactor authentication. If your password is stolen, a second form of authentication is required to gain access to your account. A YubiKey or similar physical device is best, rather than a phone number for a one-time SMS code. It is also important to ensure that you monitor your password manager closely and act on any alerts you receive quickly.
What happens if my password manager is hacked?
If your password manager is hacked, the most important step to take is to reset your master password. You can also reset passwords for all of your accounts if you so wish. Password managers are easy to update with new passwords. That said, such a move would only be necessary if your password manager has been hacked and password vaults were compromised, which would only be the case if a vulnerability in the password manager has been exploited that gives the hackers access to encrypted password vaults. You should read any notifications from a password manager carefully to determine the risk you face. In the latest LastPass incident, a developer account was compromised and was used to access restricted content, but not passwords, so changing passwords is not necessary.
Many password managers are open source, which means their source code is open and can be viewed by anyone. Open source doesn’t necessarily improve security, but some password managers – Bitwarden for example – have open source code and a bug bounty program to encourage code reviews. Bitwarden has also undergone an independent code review to proactively identify vulnerabilities that potentially exist in the code. With open source password managers, users can have greater confidence that potential vulnerabilities are being searched for. With proprietary code, such as LastPass, users must trust that the company is actively reviewing its code and is fixing vulnerabilities.
Summary
There is naturally a risk that a password manager could be hacked, as no software solution is invulnerable to hacking. However, password manager hacking incidents are very rare and there are steps you can take to protect your accounts. Using a password manager is much better for security than taking shortcuts with security, so a password manager is strongly recommended. Further, if you have highly sensitive accounts – your online bank account for example – you don’t have to add that password to your password vault. You can just set a complex, unique password for that account.