Why You Should Still Use a Password Management System, Even if You Heard One Was ‘Hacked’

combination lock

This post is part of the series, SmallBusiness.com Guide to Business Computer and Tech Security: Advice, alerts and information about digital security threats faced by small businesses. You can browse other posts in the series below.

  1. IRS Issues Urgent Warning to Small Businesses: Beware of W-2 Phishing Scam Return | 2017

  2. Lynda.com Alerts 9.1 Million Users After 55,000 Accounts Are Breached | December 2016

  3. What Does HTTPS Mean? And Why a Small Business Website Needs the ‘S’

  4. Yahoo Security Breach is Another Reminder of Why Password Protection is Critical to Your Business

  5. Homeland Security Tips for Choosing Harder to Hack Passwords

  6. Passwords Are Stolen Everyday; How to Protect Yours From Being One of Them

  7. How to Recognize and Avoid an Attempt to Crack Your Two-Step Verification Passwords

  8. How Voice Recognition Software is Being Used to Detect Cyber Criminals

  9. How to Avoid a New Cyber Attack Attempting to Access Small Business Bank  Funds

  10. Seven Resolutions for 2016 That Will Help Protect Your Small Business Computers

  11. Top Ten Free Antivirus Utilities For Your Small Business | 2016

  12. Most Small Businesses Have No Cyber Attack Response Plan

  13. If Your Business Bank Account Gets Hacked, Your Bank May Blame You

  14. Why You Should Still Use a Password Management System, Even if You Heard One Was ‘Hacked’

  15. Advice From Google on Avoiding Scams Directed at Small Businesses

  16. More Tips for Actively Managing Your Passwords

  17. What Small Business Customers Should Know and Do About the JPMorgan Chase Cyberattack

  18. How Hackers Use ‘Social Engineering’ and How to Prevent It

  19. Ten Tips From the FCC for Improving Your Small Business Cyber Security

  20. Password Protection Advice from SmallBusiness.com

  21. Ebay Asks 145 Million Users to Change Passwords

  22. What is Two-Step Verification and Why You Should Start Using Them

  23. How (and Why) to Use a Password Management Application

  24. How to Reduce the Odds of Being Hacked While Using Public Wifi

Yesterday, the password management system LastPass notified its users that it had “discovered and blocked suspicious activity” on its service. This post reviews what happened and encourages people to continue using password management services.

In a previous article that provided advice encouraging the use of password management services, we included this caveat:

“There is major drawback—if someone hacks into your password management app, all of that information is free for the taking. Most of these applications are fairly safe from remote hacking attempts, but that doesn’t account for a computer infected with malware (think key logger) or someone who has had their computer stolen.”

On Monday, June 15, 2015, one of the password management services we mentioned in that earlier post, LastPass, notified its users that it had “discovered and blocked suspicious activity” on its service. While the service indicated that no passwords or “encrypted user vault data” were taken, it did report that email addresses used to send out password reminders were compromised.

As can be expected, online coverage of the breach tended to be shrill and indicate that every user’s passwords to everything had been stolen. That was not the case.

A simple overview of what happened: The core service provided by LastPass was not compromised. However, criminal hackers were able to obtain email addresses that could potentially be used in attempts to encourage users to provide them with account-holder master passwords. The most obvious strategy would be sending out an email to users that appears to be from LastPass (phishing) seeking master passwords. Such email would likely encourage users to provide sensitive data like passwords to a representative of the company.

Why using a password management service is still wise

While it failed to prevent a breach of its system, the hack did provide an opportunity to again explain how a password management service is different from other methods. The most important difference is that a user’s “master password” is not stored by the service. It is stored on the user’s device. Obtaining access to user “password vaults” would require a much higher degree of sophistication.

The way in which password management services are still not 100 percent hacker-proof

Password management services help prevent two major security problems. They provide a way to avoid using the same password on multiple accounts. They provide the means to use more complex and highly encrypted passwords.

When a user can have dozens of accounts that require passwords, the temptation to use the same password on multiple accounts is too tempting to pass up. But nothing is 100 percent. Not even the most secret information about federal employees can be protected. Adding levels of difficulty for the hacker to deal with can serve as encouragement for the hacker to move on to someone else’s insecure data.

Protect your master password

From LastPast comes this advice that is true for any password service: “Never, ever disclose your master password or any confidential information, even to someone claiming to work for (the service).” Also, if you don’t already understand and use “two-step verification” on your most sensitive accounts, see, “What is Two-Step Verification and Why You Should Start Using Them.”