Hackers broke into popular password manager LastPass this week, which raises some obvious questions: If the service you use to protect your passwords from getting compromised gets compromised, should you still use it? Is it really wise to store all our passwords in the cloud?
First off, no, you aren’t an idiot if you use a password manager. Using a password manager is miles better than using the same password over and over. You probably understand the need for complicated, long, unique passwords, and see a password manager as a reasonable solution to keep track of those. (Considering the most popular password is still 123456, relatively speaking you’re a GOD of personal data security.)
Password managers like LastPass, 1Password, and KeePass all have the same basic premise: They store all your passwords in one “secure” place. Except, of course, your master password for the service, which you need to access the service.
LastPass and other web-based options store your passwords in encrypted databases in the cloud, which is inherently vulnerable, while KeePass and 1Password default to storing locally, which means they store your encrypted password database on a file on a device, like your phone or computer. Local storage is more secure, since it’s not on the web, but it’s less convenient. (Our sister site Lifehacker has a more detailed breakdown of the best password managers.)
Password managers are appealing because they make it way easier to have a custom, complex password for each service you use while only having to memorize one. Many will generate lengthy passwords for you, and will audit your passwords to root out weak ones.
But that basic premise—you memorize one password to access all of your passwords—when you think about it does sound like an idiot move. Eggs, basket, etc.—if someone breaks into the application, they’ll have access to your passwords for everything you do.
Most password managers are a mediocre option for protecting yourself. Yeah, you get a way to generate a quiverfull of sneaky-long passwords, but you’re putting all your faith in the security of a single service. The question is, how secure are these services?
Even though it was attacked and some information was compromised and it is recommending that users change their master passwords, LastPass is confident that the hackers didn’t access user password vaults because it uses a rigorous cryptography system.
This doesn’t mean the service’s safeguards will work every time; this is LastPass’s second breach in four years. Neither breach broke past its encryption protection, but both have highlighted that security holes exist. Plus, researchers found several critical flaws in LastPass last year, as well as other web-based password managers PasswordBox, RoboForm, My1Login, and NeedMyPassword. Last Pass had the most serious defect, since a bug in its “bookmarklets” feature allowed hackers to implant malicious code that could be used to steal log-in info from other sites. The company fixed the issue once researchers told them about it, so it was never exploited.
You’re always taking a risk by using a password manager, but password managers can mitigate the risks of using insufficient passwords. Plus, none of the major managers like LastPass or 1Password have experienced a hack bad enough to actually expose users’ password vaults yet, so they do have a decent track record.
Passwords are broken. You need one for pretty much every digital service, but our brains aren’t good at memorizing long, complicated unique passphrases, and simple passwords are extremely easy to crack. You’re taking a risk every time you use a password.
We’re left with a classic lesser-of-two-evils situation here. Unless you’re going to write your passwords down manually and physically guard them, you’re going to deal with an element of digital vulnerability.
It’s an imperfect reality, but to play it safe, it’s crucial to use two-factor authentication whenever you can—including in your password managers—and to choose a really complex master password. You can also bulk up your protections by using LastPass with a flash drive set up as a authentication device, which Lifehacker has written about in the past. Don’t be an idiot, do it.
Title graphic made by Alan Henry using IsaArt (Shutterstock)