How Safe Are Password Management Systems?
What safeguards do LastPass and Dashlane use?
Q: I've been hesitant to use a password management service like LastPass or Dashlane because if it is hacked then all of my accounts would be compromised. How safe are they to use, and what safeguards do they have?
A: Before I answer your question, let me tell you what the least secure way to store your passwords is: any method that involves not using a secure password management system. It is humanly impossible to remember a separate password for every website that you use, and that is what you must be doing to protect your online accounts. If you use the same password on any two websites, you are already trusting your passwords to every website where you login. For instance, if you use the same password for your bank, Facebook, email account, and the blogs and forums you leave comments on, you are trusting all of them with access to all of your other sites! If any of them get hacked and your password is compromised, that password will be tested against all of your other accounts, and as soon as one account is broken into, hackers can and will use it to gain access into every other online account you have. Don't believe me? Ask Mat Honan. That is why it is so important that you must have a separate password on every online account you have. You should also have two-step authentication on any accounts that you can, but that is a separate conversation for another day.
LastPass and Dashlane both provide an incredible service: remembering the dozens upon dozens of passwords and logins that people have to use on a daily basis. Both have browser plugins for Internet Explorer, Chrome, Firefox and Safari that will fill in your passwords for you while you browse on the web. Both also have apps for iOS and Android, so you can always have your passwords at arms reach.
Both LastPass and Dashlane use AES-256 encryption, the same encryption your bank uses to keep your account information safe. On top of that, Dashlane and Lastpass encrypt your information one more time using SSL when it is transmitted across the Internet. Also, your master password is not stored anywhere. What does this all mean to you? It means that i, someone is able to hack into Dashlane's or LastPass' database, they will have be in the proud possesion of useless gibberish. If the hackers are able to decrypt it, it will take them a very long time, many months to several years. You'll have plenty of time to change your passwords.
Here's something else to think about: LastPass and Dashlane are in the business of managing sensitive information and have reputations to uphold. If their servers are hacked, they will notify their clients as soon as possible so that you can take action and change your passwords. They know that they will lose their clients' trust if they don't, and they would lose their businesses. On the other hand, the website that you just posted a response to someone's political tirade on does not care about your security, and probably won't let you know that their username and password table was hacked. If they even know that it happened, they won't tell you that since it wasn't encrypted, the hackers now have your email address and password. So, who should you trust? The folks whose reputation is on the line and have proven they know what to do to protect your information.