We’ve all been there. You’re trying to create a password for a new account that meets the numerous parameters of a strong password.
By the time you add a symbol, a number, and upper- and lowercase characters, you’ve probably got a phrase that’s impossible to remember. And that’s just for one account.
Fortunately, password managers have emerged as a convenient solution to this problem. This type of software enables you to generate, store, and autofill unique passwords for all your accounts, without having to commit them to memory.
“Password managers are unique in that most security measures make your life a little bit more difficult, [but] a password manager does not,” says Anne Cutler, VP of global communications at Keeper Security.
Password managers are a fundamental tool for enhancing your online security and making your life simpler. But they are not a completely foolproof solution and do have some limitations that you should be aware of.
Here’s a breakdown of how password managers can — and can’t — protect you.
Don’t miss any of our unbiased tech content and lab-based reviews. Add as a preferred Google source.
What a password manager service protects you from
A good password management software can protect you from quite a lot of threats. This is important because passwords are the key to your online life, financial resources and even your very identity.
Here’s what a password manager can protect you from:
1. Weak and reused passwords
Weak passwords are easily cracked by cybercriminals using brute force attacks and credential stuffing. Sometimes, cybercriminals can find a password on the dark web and try to use it (or variations of it) against many of your different accounts, Cutler says. These are known as reverse brute force attacks.
A password manager protects against these risks by generating unique, strong passwords for every account saved and autofilled every time you need to log in. That drastically reduces the chance of a cybercriminal cracking your password and, even if they do, limits the damage to a single account.
2. Phishing attacks
A trio of scam messages spotted by Amazon that were sent by cybercriminals trying to impersonate Amazon.
Phishing attacks are especially sneaky because they can manipulate you into clicking an illegitimate link or logging into a fake website that might steal your information.
The autofill functionality of a password manager can guard against this because the password won’t autofill on an illegitimate URL, Cutler says.
For example, if you have a bank password saved, a password manager will only fill it in on the bank’s official website. If you accidentally click a phishing link for a fake bank website, the password won’t autofill, which protects you from a breach and tips you off that something’s wrong.
3. Keyloggers and other spyware
This is how a keylogger works — a cybercriminal can see everything you type on your keyboard.
Another strategy that hackers use is secretly tracking your keystrokes or computer activity to learn and steal your passwords. You might not even know you’re being tracked, and “that threat is very real,” Cutler says.
This is where the autofill function comes in handy again. Logging into websites with autofill doesn’t require any typing, so there are no keystrokes for a hacker to see.
4. Exposure of stored passwords
You might think it’s sufficient to store all your unique passwords in a spreadsheet or on your device. But this still leaves you vulnerable, because if someone gains access to those docs, either by stealing your device or gaining access to relevant accounts, they’ll have most of what they need to breach the rest of your accounts. Plus, it’s cumbersome to manually type in secure 16-character passwords.
A password manager saves you the effort and keeps your passwords more secure by locking them in a protected vault that can only be accessed by you.
What a password manager service doesn’t protect you from
Despite the numerous benefits of password managers, they still have some limitations. Here’s what you should be aware of:
Make sure the master password to your password manager is super secure. If someone stole it, they could access all your other passwords. Yikes!
1. Compromise of your master password
Password managers store all of your passwords in a secure portal that you access with a master password. Theoretically, if someone were to steal your master password, they could hack into your password manager and access the rest of your passwords.
But password managers do have some protections against this, too, Cutler says. If you enable multifactor authentication (which requires you to verify an SMS code or use an authenticator app), then a master password alone is insufficient to access your account.
Some password managers also require verification of any new devices that try to access your account, or limit login attempts, which are additional backstops against hackers, Cutler says.
2. A lackluster password manager
Not all password managers are created equal, and some will be more secure than others.
If your password data is not properly encrypted, for example, it could leave you more vulnerable to a breach of the software provider that stores your data. Cutler recommends looking for a password manager that’s completely encrypted, or that uses a “zero-knowledge architecture” where all data encryption and decryption happens locally on your device, rather than on the company’s own servers.
Some password managers have been breached by viruses or other types of malware, exposing sensitive customer information. In 2022, for example, hackers breached popular password manager LastPass and gained access to some user data.
editors have tested and reviewed password manager services and found Bitwarden to be our top choice overall, with open-source code that allows people to constantly scan for potential vulnerabilities that the company can then patch.
3. Social engineering attacks
When all else fails, cybercriminals sometimes target human, rather than technical, vulnerabilities. These types of “social engineering” attacks attempt to coax credentials and other sensitive information out of people, often under the guise of social media games or other legitimate-looking activities. They cause many kinds of security breaches and could pose a risk to your passwords.
When you use a password manager, there shouldn’t ever be a need to share a password with a stranger who asks for it — which is the type of thing that often happens in phishing attempts.
Plus, if you do need to share a password with someone you trust, some password managers can allow you to share it securely, within certain limits.
That said, password managers can’t protect against all forms of human manipulation.
4. Physical device theft
You can keep your passwords as secure as you want, but if your phone gets stolen, you could still be at risk.
If your device is stolen, there’s a chance someone could access your password manager and, therefore, your stored passwords.
However, a good password manager should allow you to revoke permissions from a device if you know it has been stolen, Cutler says, which could protect against a data breach.
5. Losing your master password
The key to password managers is that they rely on you remembering one master password, which should be long and complex for maximum security. But if you lose that master password, it’s a massive headache, as ‘s Scott Stein discovered a few years ago.
So whatever you do, make sure you can remember your master password.
Why you should use a password manager
Even though a password manager isn’t a foolproof system, you’re almost 2x less likely to have your credentials stolen if you use one, per a recent study.
A password manager is an essential tool that solves many of the biggest password-related security risks. But they’re not a panacea for all cybersecurity threats you might face.
“Understand what the risks are, and know how to protect yourself,” Cutler says.
In other words: You are the final line of defense. By using a strong master password, enabling two-factor authentication, and staying vigilant against scams, you can make a password manager an incredibly effective part of your overall security strategy.
However, don’t forget other safeguards, such as antivirus software, and make sure that you always keep your hardware and software up to date, which provides the best protection against cyberattacks.
