Password managers have become a core part of better securing your personal and business data. The idea of having a complex password to better secure every internet portal and other app and resource that you access makes the password manager almost indispensable. It is an interesting irony that password managers themselves are potentially a major weakness in your security due to them being a central point where all of your important passwords are stored. Password managers can and have been hacked. Just recently, LastPass, which is arguably the industry leader, recently notified customers that its development environment was compromised. Are password managers more trouble than they are worth? Do we need to go back to old school writing down all of your passwords in a notebook?
Let’s take a step back. It is a fact of our digital lives that any business at any time can and will get compromised and password managers are no different. And they are even more of a target due to the very nature of the services that they provide. This was not the first security incident for LastPass and will likely not be the last. So you say “maybe it is time to move off of LastPass and use another password manager that is more secure”. This is a common knee-jerk reaction to these kinds of events. Company A was compromised, so they are not doing a good enough job of protecting our important data, so let’s go with a competitor who has not been compromised. The fallacy of this argument is that a competing business has not had a security incident, so therefore they are more secure. The reality is that, yes, LastPass was hacked today, but tomorrow it could be some other major password manager company. You will not necessarily be any safer by moving to a competing password manager as they may very well be the next target.
Using a reverse logic, it may in fact be better for a LastPass customer to stay with LastPass at this time. They reacted with transparency and implemented an incident response as soon as they learned of the compromise. They provided prompt notification of what happened and the steps that they took to address the incident and implemented countermeasures. That is what we should expect from any business that suffers a security incident.
Now, with that said, from an end user perspective, LastPass customers should change their master passwords as a precautionary measure, even though LastPass claims that information was not compromised. All in all, however, it was not as bad as it could have been. In fact, it may be better now if you are customer of LastPass to stay with them, because there are heightened security measures being put in place and they have every incentive now to prevent another incident. And, going back to what I said previously, moving to a competitor may not necessarily make you safer as they may be next on the hacker’s list.
Should we just give up on password managers altogether? The ability to have unique, complex passwords at every portal or other resource that you access is far more efficient with a password manager than having to try to keep track of them manually. And if you try to go the manual route, you may tend to simplify your passwords and/or use the same passwords at multiple sites, and change them less often or not at all, making you much less secure. Yes, there is risk to using password managers. And if the password manager company that you use is not transparent with you and does not implement best practices security measures and is generally unresponsive or slow to respond to incidents, then certainly move to another password manager company. But I do recommend that you use a password manager.
Business owners should especially be mindful to use password managers, not only for themselves, but for all employees, especially those accessing critical information. Proper password management, combined with multifactor authentication, is an important part of a cybersecurity strategy for a business. Just remember, there are three types of businesses: those that have been hacked, those that will be hacked, and those that have been hacked and don’t know it yet. Proper preparation is key to weathering the cyber attack storm. If you would like to learn more, let’s have a conversation.