LastPass Hacked: Why You Should Still Trust Password Managers

In August 2022, password management company LastPass fell victim to a cyberattack, in which hackers breached its systems and stole its source code. LastPass’s success is built around offering secure, trustworthy software, so a hack like this could be seen as a knock against the company — but it also impacts wider public trust in password management software.

Only 20% of Americans use a password manager — and when security incidents like this happen, it’s difficult to persuade others to do the same. So, should users be worried about trusting LastPass with their security credentials?

LastPass have confirmed that no passwords were stolen or compromised, therefor anyone using LastPass can be confident that their passwords are secure. But like many others, you may have misgivings about continuing to use a password manager.

So, should you still trust your password manager? Or if you don’t yet use one, should you still consider it? In this article, you’ll discover:

• What the latest LastPass hack means for password manager users
• Whether you should trust password managers
• Why password managers are still the best way to protect your passwords online.

The latest LastPass hack: what it means for LastPass users

According to LastPass’s press release, no passwords, data, or personal information was compromised in the hack. The only information that was stolen was the source code for LastPass’s software. So, there’s no need for users to take any action.

Like most good password managers, LastPass uses zero-knowledge architecture. Zero-knowledge architecture is based on the principle that you can prove your knowledge of something (e.g. a password) without exposing the actual information (e.g. the password itself).

To achieve this, LastPass encrypts all your information so that nobody — not even LastPass staff or advanced cybercriminals — can access or decrypt your passwords, data, or backups, even if they’re hacked or stolen.

Research suggests zero-knowledge protocols are one of the best methods of authentication and identification. So despite LastPass’s security vulnerabilities, a password manager remains far superior to any other type of password storing system (including your memory).

The dangers of stolen source code

Still, it’s not exactly good news that LastPass’s source code has been stolen. For users, the biggest risk is that attackers can analyze the source code to identify authentication measures and create ways to bypass them in future attacks. But LastPass assures users that, based on what they’ve learned from the breach, they’re “evaluating further mitigation techniques to strengthen [their] environment.”

Most of the damage from stolen source code impacts the company itself, rather than its users. Source code theft enables attackers to identify further vulnerabilities within the code, or even sell the source code to unscrupulous competitors of the company. This puts LastPass’s intellectual property at risk — but it’s unlikely to affect password manager users.

In fact, many organizations choose to use open-source code, which means their code is widely accessible to a variety of developers. Open-source code may seem less secure, but the collaborative nature of the system actually ensures security flaws are noticed and fixed much more quickly than in proprietary source code.

Should you still trust your password manager?

In short, yes — you should still trust your password manager to store and manage your passwords and other authentication data.

With advancements in AI and bot technology, password cracking and credential stuffing attacks are becoming more sophisticated and successful. One AI-based password cracking system was able to guess 69% of passwords in just 52 seconds. So, relying on standard passwords that are easy to remember is far less secure than trusting a password manager to generate and store unique, complex passwords.

In addition, cyberattacks and online scams are now commonplace. Many of the world’s biggest tech companies have fallen victim to cyberattacks in recent years. In 2022 alone, security flaws in both Microsoft and Apple products have been exploited by cybercriminals. So LastPass isn’t the first cybersecurity company to be hacked — and it won’t be the last.

But cybersecurity isn’t just about preventing attacks. You must also be able to recognize and contain an attack quickly, while mitigating potential damage. With zero-knowledge architecture in place, and a continued commitment to protecting user passwords and data, LastPass was able to successfully protect user passwords and data, despite the security breach.

The benefits of using a password manager

• You only need to remember one password — your master password is the key to your password manager, so this is the only one you need to know off by heart
• You won’t need to reuse passwords — password reuse is one of the biggest online safety risks, yet almost two-thirds of people use the same password for multiple systems
• You can generate highly secure passwords — password managers create unique, complex passwords that are extremely difficult to guess or crack
• Get useful security alerts and prompts — get real-time notifications if your details are found on the dark web, or if you try to reuse a password — so you can take fast action to protect your data
• Simple, quick login to all your accounts — your password manager makes it easy for you to access all your online accounts from multiple devices
• Store other security information securely — password managers can also store answers to security questions and payment card details, all with the same level of encryption as your passwords.

Keep your online accounts secure with MFA and strong password security

Alongside multifactor authentication, password managers remain the best way to protect your passwords and prevent account takeover attacks — especially as you sign up for more online services over time.

Listen to our Cybersecurity Sessions podcast to learn more about multifactor authentication and password security.