There are those who will see the latest LastPass hack as a vindication of their view that online password managers are a disaster waiting to happen. Frankly, despite some of the hyperbolic headlines, I believe the concept is still sound.
Here’s why:
First, it’s nearly impossible for any particular user to manage his internet presence without a password manager simply because reusing usernames and passwords becomes more inevitable if you’re generating them any other way than a manager, and reuse of easily remembered passwords is a far greater vulnerability. LastPass has a good reputation for fixing its mistakes and continuing to work hard to safeguard user data, so in the rub, a service like LastPass is still the way to go.
Second, the way LastPass protects the most important asset we entrust to them–usernames and passwords to other sites–is still fundamentally sound. Even if hackers manage to break the encryption on any individual set of user data, that likely does not give them access to everyone’s data.
Third, like most reputable web services, LastPass allows for additional safeguards like multifactor authentication to help further increase security. Using LastPass at the highest security setting is still the safest bet over the same username and password over and over.
Granted, the damage could still be more severe that LastPass currently knows, but my view right now is that it is not and the service is still safe. If it proves to be otherwise, we’ll have to dig into alternatives.
DLH