What Does It Mean When a Password Manager Gets Hacked?

You trust password managers with the keys to your kingdom.

On Monday password management company LastPass announced that it detected a breach on its network last week, and that credentials like account email addresses and password reminders were compromised. The company said that its customers’ encrypted passwords were not affected.

Though the hack doesn’t seem to fundamentally undermine what LastPass does, it’s concerning: Password managers are touted as an important consumer-friendly component of strong individual cybersecurity (including by Slate). The LastPass incident puts everyone on warning, though, that no solution is perfect.

The company says it will prompt users to change their master password (the strong sequence that all the other passwords sit behind). “We are confident that our encryption measures are sufficient to protect the vast majority of users,” CEO and co-founder Joe Siegrist wrote in the announcement.

John Zurawski, the vice president of multi-factor identity authentication company Authentify (now owned by security company Early Warning) said in an email statement that it’s problematic for hackers to have obtained both email addresses and password reminders, because these two pieces of information are often enough to learn the types of passwords a user relies on (a concern echoed by others, like Columbia computer science researcher Steve Bellovin in Krebs on Security).

Zurawski says it sounds like LastPass offers numerous solid options for multi-factor user authentication, “but they are just that—options. Most end users are not security professionals. They won’t automatically choose extra security because they don’t understand the danger at a deep enough level.”

Previous research into Web-based password managers like LastPass has revealed vulnerabilites and problems. The 2014 University of California, Berkeley paper, “The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers” discussed flaws in five popular services, including LastPass. The company acknowledged and patched the specific issue the researchers found with its service.

But computer scientist Zhiwei Li, who led the research and recently presented it at the RSA security conference in April, says that LastPass’s most recent revelation fits in with his findings. “I have to say I’m not surprised, given the vulnerabilities I discovered in my research,” he told Slate in an email. “The security quality of password managers is reasonably good … [but] security design/implementation is hard to make right.”

Li says that his personal approach to password management is to create a word-processing document that lists his credentials and then manually encrypt it with a strong key. “I’m sure that’s not perfect, but at least it falls within my comfort zone,” he said.

So should you use a password manager? The LastPass breach underscores both how important personal security decisions are, and how difficult it is for laypeople to weigh risks and benefits. Li says that consumers have to “make a good tradeoff between usability and security that works for them.” It’s hard to know who trust.