Finding out your password manager has been breached can send a chill down the spine.
For instance, many LastPass users scrambled in December of 2022 because of news that the company has been breached several times.
What should you do if your password manager is breached? Does this mean all your passwords are out there being sold on the Dark Web?
Generally, no. The good news is that quality password managers have several features (like super-strong encryption) that make it nearly impossible for cybercriminals to suss out your passwords, even if an incident occurs with the password manager company.
But you should act when you find out about any breach, because the severity of the situation might not be clear at the outset. Here’s what we recommend you do as soon as you find out about a password manager hack.
What to do right now
If you are notified that your password manager has been the victim of a breach or hacking, you should act fast to ensure your password vault remains locked tight. Quality password managers have features that are meant to keep your passwords safe even if the company is breached, but it is always best to take precautions.
For most people
If you use a password manager and they are attacked, any upstanding password manager will alert you to the issue and tell you what to do to minimize your risk.
Generally, we recommend that you change the master password to your password manager if the company was breached. Here is how to make a heroic password manager password:
- 14 characters long: We recommend that your password manager primary access password be 14 characters long, which is longer than the 12-character passwords we usually recommend. This should be something you can remember but cannot be easily guessed. The extra characters are worth it because this is the password that protects all your other passwords.
- Letters, numbers, and symbols: Use a mix of letters (both uppercase and lowercase), numbers, and symbols (like $, &, and =) in your master password.
- Enable multi-factor authentication: Turning on multi-factor authentication, or MFA, adds a whole other level of security to your account. With many password managers, MFA takes the form of sending a code to a standalone app, or the password manager will text an authentication code to your phone.
For businesses and organizations
If your password manager vendor announces that it has been breached, immediately follow your incident response procedures after your security team has assessed the risk. Follow your security team’s advice, and make sure you communicate this advice to all your employees!
If you have a password manager but don’t have any dedicated security professionals, follow the advice we outlined for individuals.
How good password managers keep your passwords safe
Here are some ways quality password managers keep your passwords locked down, even if the company itself is breached in some way. Look for these features when you are comparing your options.
- Encryption: Quality password managers encrypt all of the passwords stored on them, no matter whether the passwords are stored on your device or on the company’s servers. This means that your passwords are almost impossible to decode if a hacker tried to breach your password manager. The only access to your passwords on a password manager is with your master password, which should be known by only one person: you.
- Zero knowledge: As the name suggests, zero knowledge means a password manager does not know what your passwords are – the company does not store the keys needed to decrypt the main password that unlocks your vault or any of the passwords stored in it. This means that your main password is never kept on the system’s servers. You are the only one who knows it, so you should make it strong and protect it with MFA.
- Multi-factor authentication: Because your password vault on a password manager is so valuable, the best password managers offer multi-factor authentication for you to log in. This means that anyone trying to view your passwords from unfamiliar device will need to log in multiple ways. This can include a facial ID, fingerprint scan, inputting a code you get in an SMS text message or approving the log-in attempt on a separate app. This builds another wall around your passwords, so you know they are kept extra-secure. Always enable MFA for your password manager!
- More multi-faction authentication: You’ve got it on your password manager, but don’t stop there. Enable it on every account you have that offers it, like financial accounts, email and social media.
Why password managers are still a smart choice
When it comes to password manager breaches, don’t throw the baby out with the bathwater! Password managers are the best, albeit imperfect, solution to generating, storing, and maintaining strong passwords for each of your many online accounts. Password managers are safer than notebooks, sticky notes, and easy-to-remember passwords. Good password managers even help you come up with strong, unique passwords for new accounts in a matter of seconds. They can also help you identify reused, weak or compromised passwords and help change them.
Even if a password manager is breached, aspects like encryption, MFA, and zero knowledge keep your passwords inscrutable to cybercriminals. Even though risks remain, we strongly recommend you use a password manager.