How to Choose the Best Password Manager After Recent Security Breaches

If you’re serious about your digital security, you need a password manager. But not all password managers are created equal, as users of LastPass painfully discovered when their supposedly secure password vaults were compromised, leading to massive cryptocurrency theft. Let’s talk about what makes the best password manager and what you need to know before choosing one.

This blog post summarizes the main points of my latest podcast episode. If you’d like, you can listen to it or watch it at https://www.backupwrapup.com/)

Recent Password Manager Security Incidents

The FBI recently confirmed that the LastPass breach from 2022 has now been linked to approximately $150 million in cryptocurrency theft. This wasn’t random—hackers specifically targeted crypto wallets by cracking password vaults stolen during the breach.

How did this happen? In 2022, attackers got into LastPass by compromising an employee’s personal device through a Plex server. Once inside, they accessed LastPass’s storage systems and copied the encrypted password vaults of users. While these vaults were encrypted, there was a critical problem: older vaults used weaker encryption with fewer iterations, making them more vulnerable to cracking attempts.

According to security researcher Brian Krebs, an older LastPass vault with average password complexity could be cracked in about a year for approximately $7,500 using a single GPU. Given that the breach happened over two years ago, that’s plenty of time for determined attackers to break in.

Key Security Features to Look for in the Best Password Manager

When choosing the best password manager, most comparison articles focus on features like automatic filling, cross-device syncing, and password generation. While these are important, the LastPass incident shows we need to dig deeper into security fundamentals:

1. Encryption Strength and Iterations

The first thing you should ask any password manager company is: how do you protect the vault itself? Look for information about:

• The encryption algorithm used
• The number of iterations applied to your master password

More iterations means better security because it makes cracking attempts exponentially harder. The best password manager services have upgraded their algorithms over time and migrated older vaults to newer standards—something LastPass apparently failed to do for long-time customers.

2. Multi-Factor Authentication (MFA)

Your password manager holds the keys to your digital kingdom, so protecting access to it is critical. The best password manager solutions will offer strong MFA options:

• Authenticator apps (Google Authenticator, Authy)
• Hardware security keys (YubiKey)
• Biometric authentication

What you should absolutely avoid is SMS-based verification. It’s vulnerable to SIM swapping and other attacks. Email verification isn’t much better.

3. Passkey Support

Passkeys represent the future of authentication, and the best password manager services are already supporting them. Passkeys eliminate many traditional password vulnerabilities by using public key cryptography.

4. Complete Vault Encryption

Make sure your password manager encrypts ALL data in your vault, not just passwords. One password manager (1Password) was previously criticized for not encrypting certain user data, which could potentially be used in social engineering attacks.

Protecting Cryptocurrency with Your Password Manager

If you store cryptocurrency, you need extra precautions beyond even the best password manager:

1. Implement BIP 39 for your crypto wallets, which adds an extra passphrase on top of your seed phrase
2. If you were a LastPass user during the breach, transfer your crypto to new wallets immediately
3. Consider keeping your most sensitive recovery phrases in a separate, offline solution

The Bottom Line on Password Managers

Despite the LastPass breach, using a password manager is still far safer than not using one. What matters is choosing the best password manager with robust security practices and properly configuring it.

When you select a password manager, don’t just look at the fancy features—ask hard questions about their security architecture, check if they’ve had breaches before and how they responded, and make sure they’re regularly updating their encryption standards.

Remember: a 15-character password and a 40-character password take the same effort for a password manager to fill in. So always use the maximum length and complexity the site will allow. Your future self will thank you when you don’t become another data breach statistic.

Written by W. Curtis Preston (@wcpreston), four-time O'Reilly author, and host of The Backup Wrap-up podcast. I am now the Technology Evangelist at S2|DATA, which helps companies manage their legacy data