Here’s some not-so-great news: LastPass had two pretty big hacks recently. First, hackers stole LastPass users’ vault data — that includes customers’ usernames and passwords. Then those same hackers broke into a LastPass employee’s computer to take even more LastPass users’ info.
Simply put, just about the worst thing that could happen to a password manager app happened to LastPass.
There’s a silver lining. LastPass encrypts some of the data stored in users’ vaults and encrypted data is very difficult for hackers to make sense of. What information was encrypted? Information like a person’s username and password was encrypted, but hackers were able to see, for example, which sites LastPass users have accounts with.
So even though the hackers are in possession of LastPass users’ usernames and passwords, it looks like a bunch of gibberish to them — for now. Hackers own that data now and can spend any amount of time reverse-engineering the gibberish in order to decode users’ passwords.
Is all of this making you want to sign up for a password manager?
If you use LastPass, change your passwords immediately. If you don’t, you’re probably wondering if the same could happen to your 1Password or Bitwarden account. (Or your Apple or Google password manager tools if you use one of those.) Or maybe you’re wondering, “should I even be using a password manager if something like this could happen?”
The answer lies below. Here are some things to consider if you currently use or hope to use a password manager.
Generally, yes. Sites like New York Times’ Wirecutter and Consumer Reports strongly recommend password managers as a way to secure your online data. Combining this with using two-factor authentication everywhere can make you doubly secure.
You’re probably thinking, “Doesn’t using a password manager give hackers one single place to steal all my most sensitive data?” To answer that, consider two alternatives:
- Using the same password for every account: Using one password with every account can be convenient and easy to remember. But the downside is that a single password could give hackers access to your other accounts if it’s ever compromised. Just ask the Runescape player that hackers renamed “SamePwEvrywr.” Yikes. Luckily, password managers make it easy to assign unique passwords to each of your accounts and you’re still only required to remember one single password.
- Writing down all your passwords in a doc: Do you keep a list of your passwords in a Google Doc or on a Notes app note in your phone? The downside here is that this data is stored in plain text, ready for anyone to steal and make use of. Note-taking apps are designed to help you jot down important information. Password manager apps are designed to help you jot down important information and protect it. As an added bonus, even the companies that make these password apps can’t see the sensitive information held inside. This is true for 1Password, BitWarden, Apple’s iCloud Keychain and the password manager within Google Chrome. (Not Google Docs though. Again, not a password manager!)
Anything digital can be hacked. Fortunately, many password managers prepare for this by using encryption, which makes digital information impossible to read without the proper decryption key. Take the latest LastPass hack. Hackers are now in possession of users’ passwords, but it’s in a format that the hackers can’t read.
In an ideal world, the company you trust your passwords to doesn’t get hacked at all, but at the very least if they are hacked, encryption keeps the stolen information unreadable.
So what steps do password manager companies take to not get hacked? Many password managers address this exact question. Bitwarden notes its use of encryption protects user data. 1Password lists defenses like encryption and their use of a Secret Key — essentially a second master password that, like your actual master password, only you own.
As for Apple and Google, having your Apple and Google account hacked is stressful in its own right — even without passwords involved. If throwing passwords into that equation sounds doubly stressful, you may not want to trust much information to one provider. If you do decide to take that approach, Apple and Google have FAQ pages on the topic.
If you’re choosing a password manager, double and triple check what sorts of encryption they use. (256-bit is the strongest you can expect to find.) Or, at the very least, make sure it uses encryption at all — such that only you have the encryption keys.
Another consideration is checking if your password manager stores your data in the cloud. Most do, in order to make accessing your credentials across devices easier. Though storing info in the cloud, as you might assume, can be less safe in some ways. When 1Password switched to storing account credentials in the cloud in 2017, for example, security experts worried about the shift. Fortunately, along with passwords being encrypted, the Secret Key that 1Password generates as a sort of second master password is generated locally on-device. It never touches the cloud unless a user uploads it somewhere.
Alternatively, there are password manager options that center around non-cloud storage of passwords. KeePass, for example, is open source and strictly local.
When it comes to password managers like 1Password, Bitwarden and others, use of encryption is (pun) key. Storing account info in a password manager can be more secure than keeping your passwords in a notes doc on your phone or computer. A password manager is a great way to create and store numerous complex passwords for all the accounts you have. Although, password manager hacks do happen — as we’ve seen with LastPass. Our recommendation? Use a password manager with 256-bit encryption to create and manage unique passwords for all of your online accounts, but if you can, keep key accounts like banking and associated email addresses out of your password manager, and stored securely, and secretly, in your brain. Then double secure them with two-factor authentication.
Aren’t All Password Managers A Hacker’s Honeypot?
Written by: Xavier Harding
Edited by: Audrey Hingle, Carys Afoko, Innocent Nwani, Tracy Kariuki
Art: Shannon Zepeda
SEO Insight: Aslam Shaffraz