Learn how cybercriminals could try to crack your vault and how you can keep your logins safe
13 Nov 2025
•
,
5 min. read
The average internet user has an estimated 168 passwords for their personal accounts, according to a study from 2024. That’s a massive 68% increase on the tally four years previously. Given the security risks associated with sharing credentials across accounts, and of using simple-to-guess passwords, most of us need help managing these logins. This is where password managers come in: enabling us to store and recall long, strong and unique passwords for each of our online accounts.
However, this doesn’t mean that these password vaults are a silver bullet or that you should lower your vigilance online. Given that they literally hold the keys to our digital lives, they’ve also become a popular target for cybercriminals. Here are six potential risks and some ideas on how to mitigate them.
6 password manager security concerns
With access to the credentials stored in your password manager, threat actors could hijack your accounts to commit identity fraud, or sell access/passwords to others. That’s why they’re always looking for new ways to target you. Look out for the below:
1. Compromise of your master password
The beauty of password managers is that with a single, memorable password, you can access the vault that stores all of your online credentials. However, the problem with this approach is that, if cybercriminals can get hold of that master password, they gain the same level of access. This could happen via a “brute-force” attack, where they essentially use automated tools to try different passwords repeatedly until they finally hit upon the right one. Another option is by exploiting vulnerabilities in the password manager software, or tricking users with phishing pages, as detailed below.
2. Phishing/scam ads
Threat actors have been known to post malicious ads to Google Search designed to lure victims to fake sites which harvest their email address, master password and secret key (if applicable). The danger with these ads is that they look legitimate and may appear in the search rankings when you Google your password manager. The phishing pages they’re linked to are spoofed to appear as if they are the real deal. For example a domain may be “the1password[.]com” or “app1password[.]com,” instead of the original “1password.com.” Or “appbitwarden[.]com” instead of “bitwarden.com.” If you click through to such a page, you’ll be taken to a legitimate-looking login page designed to steal your all-important password manager logins.
3. Password-stealing malware
Cybercriminals are nothing if not resourceful. Such are the riches on offer that some have gone to the trouble of developing malware to steal credentials from victims’ password managers. ESET researchers recently spotted one such attempt by a North Korean state-sponsored campaign dubbed “DeceptiveDevelopment.” It found that “InvisibleFerret” malware which featured a backdoor command capable of exfiltrating data from both browser extensions and password managers via Telegram and FTP. Among the password managers targeted were 1Password and Dashlane.
In this particular case, the malware was hidden in files downloaded by the victim as part of an elaborate fake job interview process. But there’s no reason why malicious code with similar properties couldn’t be spread in other ways, such as via email, text or social media.
4. A password manager vendor breach
Password manager vendors know they are a major target for threat actors. That’s why they spend significant time and resources making their IT environments as secure as possible. But they only have to make one mistake to potentially let the bad guys in. In 2022, this worst-case scenario happened to LastPass. Digital thieves compromised a LastPass engineer’s laptop to access the firm’s development environment. There they stole source code and technical documents containing credentials, which enabled them to access customer data backups.
This included customers’ personal and account information, which could be used for follow-on phishing attacks. A list of all website URLs in their vaults. And usernames and passwords for all customers. Although these were encrypted, the hacker was able to “brute force” them (as discussed above). This is thought to have led to a massive US$150 million crypto-heist and is a cautionary tale that even the best-protected vendors could sometimes get breached.
5. Fake password manager apps
Sometimes, cybercriminals play on the popularity of password managers in an attempt to harvest passwords and spread malware via fake apps. Even Apple’s normally secure App Store allowed one of these malicious password manager apps to be downloaded by users last year. These threats are typically designed to steal that all-important master password, or else download information-stealing malware to the user’s device.
6. Vulnerability exploitation
Password managers are ultimately just software. And software, being written (mostly) by humans, inevitably contains vulnerabilities. If a cybercriminal manages to find and exploit one of these bugs, they may be able to lift credentials from your password vault. Alternatively, they could target vulnerabilities in password manager plugins for web browsers to steal credentials and even two-factor authentication (2FA) codes. Or they could target device operating systems to do the same. The more devices you have your password manager downloaded to, the more opportunity they have to do so.
How to secure your password manager usage
To guard against the threats listed above, consider the following:
- Think of a secure, long and unique master passphrase. Consider four memorable words separated by hyphens.
Keeping Your Online Accounts Secure
Hey there! Want to make it tough for those pesky attackers to crack your passwords? Here are some tips to keep your online accounts safe and sound:
- Make it harder for attackers to guess your password by creating a strong and unique one.
- Boost your account security by enabling 2FA. This adds an extra layer of protection, so even if hackers snag your password, they won’t be able to get in without the second factor.
- Stay on top of updates for your browsers, password managers, and operating systems. This helps keep your devices secure and less vulnerable to cyber threats.
- Only download apps from trusted sources like Google Play or the App Store. Check the app’s developer and rating to avoid falling for fake or malicious apps.
- Choose a password manager from a reputable vendor you trust. Shop around until you find one that suits your needs.
- Install security software from a trusted vendor on all your devices. This helps protect your passwords from direct attacks aimed at stealing them from your password manager.
Remember, password managers are a crucial part of keeping your online accounts safe. Just make sure to take extra precautions and stay informed about the latest cybersecurity threats. Keep those online credentials locked up tight!
