You are happy, feel safe and you don’t need to remember all your passwords because they are stored securely in a password manager. You are confident that your online passwords are secured because you trust the password manager company as they are widely used by many businesses and is reputable. What happens if your master password is hacked?
Although you can rely on password manager to store your credentials, however, if you are not careful in securing the master password, the risk of your accounts being hacked is still there. At worst, if a malicious actor can access your password manager’s vault by using your master password, they can access and steal everything stored inside your password manager’s vault.
What hackers can access if they have your master password?
If hackers access your master password, they can do the followings:
- Decrypt your vault: the hacker can gain access to your vault because your master password is the key to unlock the vault.
- Steal all your information: the hacker can steal all information stored inside the vault (usernames, passwords, credit card info, banking info, private notes etc.)
This is a very serious situation. That’s why you need to create an exceptionally strong, unique and never used password for your master password.
How to mitigate/minimize the risk
As there are two parties involved in the operation of a password manager, i.e., password manager company as the provider and you as the user, both parties take part in preventing and mitigating the risk of your master password of being hacked by bad actors.
- Password manager company: most reputable password manager companies use a zero-knowledge security model in designing their password managers. This means the password manager never knows your master password and cannot access you’re your encrypted data. It is because the master password encrypts your data on your device before it is being sent to the company’s servers. If for whatever reason the company’s servers are compromised, the hackers will find the data unreadable because they are encrypted.
- You as a user: You need to set a strong and complex master password with a combination of alphabet, number and special character with at least 12 long. And, most importantly, you need to enable the Two-Factor Authentication (2FA) on your password manager. If you enable it, the hacker will not be able to access your vault even they steal your master password because without the second authentication factor, such as security code generated by authenticator app, push notification, code sent through SMS/email or a biometric scan, access to your password manager will be denied. Enabling 2FA is a non-negotiable practice to safely use your password manager.
What to do immediately if you think your master password is hacked?
Well, it is not the end of the world. However, if you suspect your master password is compromised, you need to act fast and immediately:
- Change Your Master Password: Change it and use a new password that is complex, long and never been used before. You have to do this as soon as possible on a trusted device.
- Reconfigure 2FA: Change the 2FA in your password manager account setting and register with a fresh new one.
- Change Your Critical Password: You need to change passwords of your critical and sensitive accounts such as banking account to protect your account being hacked. Once the hacker unlocks your vault using master password, practically all your account info (such as your banking password) inside your vault are compromised.
- Monitor Your Accounts: It is important that you keep an eye on your accounts (financial or non-financial) to monitor and check for any suspicious or unauthorized activities/transactions.
How to protect your master password (best practices)?
To protect the contents of your password manager vault, below are best practices that can be followed even in the worst case your master password is stolen or hacked.
- Choose a strong master password: Use at least 16 characters with a combination of letter, number, special character, upper and lower case. Ideally, you can use a passphrase (a does not make sense situation made by of a combination of unrelated words like “8OrangeDogsFlyInTandem&FallintoLake9!”) that can be remembered by you.
- Don’t use the master password for other account: If your other account is compromised and the hacker can retrieve the password, your password manager is at risk of being hacked.
- Enable 2FA: Turn the 2FA on your password manager using a third-party authenticator app like Microsoft Authenticator or Authy. Avoid using the less secured 2FA like SMS or email-based 2FA. Even your master password is stolen, the thief cannot access your vault without security code sent to your other device.
- Protect your device: Use a PIN or ideally biometric factor (fingerprint or face ID) to unlock your device. Even your master password is compromised and your device is stolen, the thief cannot easily open your device to access the security code, especially if your device is unlocked using biometric factor.
- Set up recovery option: Many password managers have options to create a master password recovery key (kit) for you to use if you forget your master password. Put it in a safe place.
Summary
Password manager is an app that can securely store your sensitive and important info such as your passwords. It is also convenience to use as you don’t need to remember all your passwords. All you need is to remember your master password.
Because of this, your master password becomes a single of failure. If your master password is stolen, all your confidential info inside your vault can be stolen. To protect this, you need to create a strong, complex, unique and unused password for your master password. As well, you need to enable the 2FA feature on your password manager. Off course, you need to keep your master password safe. Don’t write it down on a paper and exposed to other.
Even if your master password is compromised, it is not the end of the world. There is a way to protect your accounts by following the best practices.
