Look no further to learn how cybercriminals could try to crack your vault and how you can keep your logins safe
13 Nov 2025
•
,
5 min. read
The average internet user has an estimated 168 passwords for their personal accounts, according to a study from 2024. That’s a massive 68% increase on the tally four years previously. Given the security risks associated with sharing credentials across accounts, and of using simple-to-guess passwords, most of us need help managing these logins. This is where password managers come in: enabling us to store and recall long, strong and unique passwords for each of our online accounts.
However, this doesn’t mean that these password vaults are a silver bullet or that you should lower your vigilance online. Given that they literally hold the keys to our digital lives, they’ve also become a popular target for cybercriminals. Here are six potential risks and some ideas on how to mitigate them.
6 password manager security concerns
With access to the credentials stored in your password manager, threat actors could hijack your accounts to commit identity fraud, or sell access/passwords to others. That’s why they’re always looking for new ways to target you. Look out for the below:
1. Compromise of your master password
The beauty of password managers is that with a single, memorable password, you can access the vault that stores all of your online credentials. However, the problem with this approach is that, if cybercriminals can get hold of that master password, they gain the same level of access. This could happen via a “brute-force” attack, where they essentially use automated tools to try different passwords repeatedly until they finally hit upon the right one. Another option is by exploiting vulnerabilities in the password manager software, or tricking users with phishing pages, as detailed below.
2. Phishing/scam ads
Threat actors have been known to post malicious ads to Google Search designed to lure victims to fake sites which harvest their email address, master password and secret key (if applicable). The danger with these ads is that they look legitimate and may appear in the search rankings when you Google your password manager. The phishing pages they’re linked to are spoofed to appear as if they are the real deal. For example a domain may be “the1password[.]com” or “app1password[.]com,” instead of the original “1password.com.” Or “appbitwarden[.]com” instead of “bitwarden.com.” If you click through to such a page, you’ll be taken to a legitimate-looking login page designed to steal your all-important password manager logins.
3. Password-stealing malware
Cybercriminals are nothing if not resourceful. Such are the riches on offer that some have gone to the trouble of developing malware to steal credentials from victims’ password managers. ESET researchers recently spotted one such attempt by a North Korean state-sponsored campaign dubbed “DeceptiveDevelopment.” It found that “InvisibleFerret” malware which featured a backdoor command capable of exfiltrating data from both browser extensions and password managers via Telegram and FTP. Among the password managers targeted were 1Password and Dashlane.
In this particular case, the malware was hidden in files downloaded by the victim as part of an elaborate fake job interview process. But there’s no reason why malicious code with similar properties couldn’t be spread in other ways, such as via email, text or social media.
4. A password manager vendor breach
Password manager vendors know they are a major target for threat actors. That’s why they spend significant time and resources making their IT environments as secure as possible. But they only have to make one mistake to potentially let the bad guys in. In 2022, this worst-case scenario happened to LastPass. Digital thieves compromised a LastPass engineer’s laptop to access the firm’s development environment. There they stole source code and technical documents containing credentials, which enabled them to access customer data backups.
This included customers’ personal and account information, which could be used for follow-on phishing attacks. A list of all website URLs in their vaults. And usernames and passwords for all customers. Although these were encrypted, the hacker was able to “brute force” them (as discussed above). This is thought to have led to a massive US$150 million crypto-heist and is a cautionary tale that even the best-protected vendors could sometimes get breached.
5. Fake password manager apps
Sometimes, cybercriminals play on the popularity of password managers in an attempt to harvest passwords and spread malware via fake apps. Even Apple’s normally secure App Store allowed one of these malicious password manager apps to be downloaded by users last year. These threats are typically designed to steal that all-important master password, or else download information-stealing malware to the user’s device.
6. Vulnerability exploitation
Password managers are ultimately just software. And software, being written (mostly) by humans, inevitably contains vulnerabilities. If a cybercriminal manages to find and exploit one of these bugs, they may be able to lift credentials from your password vault. Alternatively, they could target vulnerabilities in password manager plugins for web browsers to steal credentials and even two-factor authentication (2FA) codes. Or they could target device operating systems to do the same. The more devices you have your password manager downloaded to, the more opportunity they have to do so.
How to secure your password manager usage
To guard against the threats listed above, consider the following:
- Think of a secure, long and unique master passphrase. Consider four memorable words separated by hyphens. This will make it harder for an attacker to “brute force” it.
- Always enhance the security of your accounts by switching on 2FA. This means that even if hackers get hold of your passwords, they will not be able to access your accounts without the second factor.
- Keep browsers, password managers and operating systems up to date so they are on the most secure versions. This reduces the opportunities for vulnerability exploitation.
- Only download apps from a legitimate app store (Google Play, App Store) and check the developer and app rating before doing so, in case they are fake/malicious apps.
- Only choose a password manager from a reputable vendor. Shop around until you find one you’re comfortable with.
- Ensure you install security software from a reputable vendor on all devices, to mitigate the threat of attacks designed to steal passwords directly from your password manager.
Password managers remain a key part of cybersecurity best practice. But only if you take extra precautions. Security risks are always evolving, so stay abreast of the current threat trends to ensure your online credentials stay under lock and key.
