I’ve been asked a lot of questions about password managers, especially due to the LastPass hack that started in 2022 and was fully disclosed in 2023. Before getting too far into this, let me be clear that I’m still pro password manager. Password managers, while not spelled out in the original Greek, are most certainly part of the way, the truth, and the life in John 14:6.

LastPass was not compromised because they had poorly written code or because their product was inferior. LastPass was compromised because a software engineer was tricked into giving access to his personal computer to the bad actors. The software engineer used his personal computer to access sensitive LastPass data as it was part of his job. Once the bad actors had access to the computer, they were able to steal encrypted backups of LastPass user’s password vaults.  

While there are a lot of things the LastPass employee should have done differently, it is important to note that LastPass was not breached because a hacker was able to get in through their defenses or bad code. The data breach happened due to human error.

Incidents like this are one reason some are against cloud-based password managers. However, it is important to recognize that human error is everywhere, in cloud-based systems and in non-cloud-based options. Whether your password data is stored in the cloud, or in an encrypted file that only exists on your local computer, human error can make both equally vulnerable. Regardless of which password manager option you choose, it is important that you choose one.

Whether or not you leave LastPass is not so much an issue of the data breach but more an issue of whether you set up your LastPass account properly. Remember, the grass isn’t always greener. If your master password is St@rTrekRules1 then you’re in trouble as that can be brute forced in a short amount of time. The bad actors require your LastPass master password to gain access to the backup of your password vault they stole. LastPass encourages strong passwords, if you failed to follow their recommendation then the issue is not leaving LastPass, the issue is changing all of your passwords as the bad guys can easily figure out your master password.

If your master password was setup to LastPass recommendations, you’re fine. It will take decades to crack your master password and odds are the bad actors won’t spend that much time on it as they are looking for quick returns.

But wait! The bad guys still have my encrypted data! True, and while unsettling, if you leave LastPass for another cloud-based password manager, what’s to prevent one of their engineers from falling for the same trick. Remember, this was human error. Even a password manager you host yourself is subject to security tricks and must be setup properly. For the most part, it comes down to a matter of preference.

Using a password manager is important and the LastPass breach reinforces the need to use a password manager properly, both individually and corporately.