LastPass was hacked—so are password managers still safe?

Virtually every article about staying safe online tells users to sign up for a password manager that creates unique, strong codes for logging into banking, social-media, and other websites. So after the news broke yesterday that hackers had gained access to LastPass, legions of responsible citizens were left wondering if that advice still applies. And articles quickly appeared arguing that, on balance, it does. However, important caveats apply.

The LastPass announcement on the attack, which was posted on Monday, June 15, said that email addresses, authentication hashes, and hints used to help people recall their passwords had been stolen. The company also said that the procedures it uses to make data harder to crack would probably ensure that most users remained safe. (Security blogger Brian Krebs has a quick explanation of some of the relevant technology.)

The greatest vulnerability right now could be those password reminders, according to Dan Guido, a security consultant and the CEO of Trail of Bits. After previous hacks of some sites, researchers found that "many people set hints that were the actual passwords, or a variation of them," he says. Other hints were easy to decode, especially with some research. If the entire LastPass database were leaked online, a dedicated sleuth could potentially decipher a user's password without using any computing power at all.

A more likely scenario, of course, is that the thieves will try to crack the passwords themselves—and, given the security procedures LastPass has in place, that would be a time-consuming task. As a safeguard, LastPass users should change their master passwords, turn on two-factor authentication, and take other standard measures to protect their data.

After the many recent data breaches, it's no surprise that a password manager is vulnerable, too. After all, Guido points out, what could be a richer target for a criminal hacker than a database promising access to every banking, brokerage, insurance, and social media account for millions of users? For that reason, he recommends 1Password, a service that operates locally on your private computer. Other experts may disagree. But looking further ahead, this kind of data breach could bring renewed attention to the technology used by password managers—and to the efforts to move beyond passwords altogether.

—Jerry Beilinson