A coworker emailed me that my favorite password manager service, LastPass, was just hacked. I read through the alert and followed the instructions to change my master password. At first blush, this is bad news. A company whose primary job is to protect access to every account I have was hacked. Even if they _say_ nothing was stolen: Oh crap.
But, after a a little reflection, I realized this is still better than no password manager or even rolling my own. First, I do take them at their word that no credentials are ever stored on their servers unencrypted, and that encryption used is secure. The only way that somebody can steal my passwords would be to download my encrypted passwords and know my master password. If you want my bank login so bad that you'd hack LastPass and then torture me to give up the master password, you must be looking at different bank statements than me.
More importantly, though, LastPass is monitoring proactively and doing the right thing when they detect anomalies. That to me is way more than any paper or home-rolled service can provide. If you are not using a password manager, you are likely either writing them down on paper or using the same ones everywhere. The latter is instant hacksville. The former is as secure as what you are writing them on. Do you have staff monitoring the post-it notes you write your passwords on? Do they notify you when something remotely suspicious happens related to your passwords?
No, I still enjoy the bliss of generating random passwords that even I don't know, and letting LastPass ensure they are relatively safe.
That said, there are some things LastPass could do better: Notification for me came through reading a blog post three days after the hack. I would have liked earlier notification and to have had it in the LastPass app as well as email.
So, if you are not using LastPass (or _some_ password manager), don't be scared off by recent events. If you are, change your passwords and move on.