What happens when your password manager gets hacked?

When we think about preventing cybercrime, we often look to the big IT systems we rely on to keep us safe. But cybercrime prevention is a multi-layered process and sometimes we forget to look at some of the most important baseline protections.

Password management is one of those baseline necessities and many companies have installed password managers to address this security issue. But what happens when your password manager gets hacked? Does that mean all your passwords are now in the hands of cybercriminals?

One password management company, LastPass, announced in December that it had detected unusual activity within a third-party cloud storage service. What the company discovered was that an unauthorized party, using information obtained in an earlier breach, was able to gain access to certain elements of its customers’ information.

But the company also reported, “Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.”

How is it possible for a password management company to protect its customers’ passwords in spite of experiencing a major breach?

How password managers are structured

In a recent YouTube video, Wes Spencer, VP, and Channel Chief for FifthWall Solutions, explained how LastPass and other password managers can protect their customers’ passwords even when their own systems get breached.

According to Spencer, the reason the hacker was unable to access the customers’ passwords was because LastPass does not have access to the actual passwords that users have in place. He said password managers are specifically designed with this risk in mind. “Password managers use a master password,” Spencer explained. “That master password encrypts all the passwords you use. Which means this: Not even LastPass knows the passwords you have in place.

Spencer noted that while some companies resist using password managers because it seems like they are putting all their eggs in one basket by having a single password, the encryption process that password managers use is specifically designed to keep the bad guys from being able to access the real passwords.
He further opined that users are far worse off, and far more vulnerable, without a password manager.
“We all have hundreds of usernames and passwords, and the human brain is not wired to remember unique complex passwords for every single one of those sites,” he said. “That is why password reuse is so rampant. We use the same password for everything, and the bad buys know this. If bad guys get access to a password on one site, they are then able to log into the user’s other accounts.”

A password manager overcomes this problem by generating and/or retrieving complex passwords through an encrypted database. Users choose one master password to access all of their applications through this encryption process.

Guard your passwords

Of course, you will have to commit that one master password to memory, as it is the key to every other password you need for all of your applications and sites. And you will need to protect it fiercely by not leaving it near your devices for others to discover. Also, basic password security measures dictate never using the same password from site to site and this is doubly true for a master password. Never, under any circumstances, use your master password for any other miscellaneous sites you may be accessing in case those sites should one day be hacked.

At Premier One, we are dedicated to keeping you up to date on all the latest technological changes that could impact your business. Contact us to learn more about how we can provide your company with the most progressive, efficient and secure IT environment.

Share this post