In 2025, researchers disclosed clickjacking vulnerabilities affecting the browser extensions of popular password managers, including 1Password, Bitwarden, and LastPass. The flaws could allow attackers to trick users into autofilling credentials into malicious web pages.
Password managers are widely recommended to reduce credential-based risk, yet incidents like this have raised questions about their real-world resilience. This article explores how they protect credentials, lessons from past breaches, and practical guidance for 2026.
Why Password Managers Matter Now
Weak or reused passwords continue to fuel a large share of cybersecurity failures. According to recent data:
- Approximately 70% of data breaches involve weak or compromised passwords.
- Around 81% of hacking‑related breaches leverage stolen or weak passwords.
- Credential stuffing and automated attacks attempt to authenticate billions of times annually.
Password managers help mitigate these risks by generating and storing strong, unique credentials for every service, reducing reliance on memory and limiting the impact of a breach on one account from cascading into another.
Adoption has grown as a result. Estimates suggest that about 35% of internet users now rely on a dedicated password manager, a significant increase from about 20% five years ago. Users of password managers tend to reuse credentials far less and choose longer passwords on average.
From a risk perspective, these tools are a practical control for reducing credential exposure and account compromise.
Source: Zipdo, PanicVault, Market.Biz
How Password Managers Work
Password managers store encrypted credentials and unlock them only with a master password or an equivalent authentication method. Strong implementations use end-to-end encryption, meaning passwords are encrypted locally, the provider cannot read them, and Multi-factor authentication (MFA) is required to unlock the vault.
Additional safeguards include a zero-knowledge architecture, hardware security tokens, and encrypted device-to-device syncing.
In organisations, password managers often integrate with single sign-on (SSO) and role-based access controls, extending protection across teams and improving governance and audit visibility.
Incidents That Tested Trust
Several high-profile incidents demonstrate how implementation gaps, user behaviour, and operational weaknesses can weaken the security of well-designed systems.
The LastPass Breach (2022)
In 2022, LastPass disclosed that attackers gained access to encrypted vault backups. While encryption prevented immediate mass decryption, weak master passwords remained vulnerable if attackers could attempt offline cracking. This incident emphasised that secure infrastructure must be paired with strong master credentials and enabled MFA.
1Password Clickjacking Vulnerability (2025)
In 2025, researchers discovered a DOM-based clickjacking vulnerability in 1Password’s browser extension. Malicious websites could trick users into unintentionally autofilling credentials or two-factor codes through hidden interface elements. No passwords were directly exposed, but the incident demonstrates that even secure password managers can be affected by interface or configuration flaws.
1Password confirmed that vault encryption remained intact and added safeguards such as prompts before autofill. This reinforces the principle that password manager security relies on both strong encryption and disciplined operational controls.
What the Data Tells Us About Password Risk
Keeping password managers in context requires appreciating how risky passwords still are on their own:
- 65% of users reuse passwords across accounts, a behaviour that makes credential stuffing far more effective.
- 81% of users rely on simple passwords, like “123456”, which are trivial to crack.
- The most common passwords continue to be predictable sequences, with “123456” appearing millions of times in leaked databases.
- Credentials compromised in breaches can remain undetected for months, giving attackers extended access windows.
- Only a minority of users employ MFA on all accounts they care about, even though MFA can block a very high percentage of automated attacks.
These statistics show that password risk is structural and behavioural. Without tools to help enforce uniqueness and strength, most users default to risky practices; exactly the patterns password managers are designed to change.
Modern Security Features Reduce Exposure
Password managers have improved to address common risks:
- Automatic breach detection and alerts, which prompt users to rotate compromised credentials.
- Built‑in phishing resistance and anti‑reuse detection, reducing the risk of credential reuse slipping through unnoticed.
- Hardware token support and biometric unlocking, raising the bar beyond password‑only access.
- Granular sharing and enterprise policy controls, helping teams avoid broad credential sharing.
These improvements help mitigate many of the operational weaknesses highlighted in past incidents, but their effectiveness still depends on disciplined practice.
Supply-Chain and Vendor Risks
Password managers reduce credential exposure, but they also introduce a dependency on the vendor’s security. Even with end-to-end encryption and zero-knowledge architecture, organisations remain exposed to risks from the provider’s infrastructure, insider threats, or software supply-chain compromise.
For example, if a vendor’s update mechanism or code-signing process were compromised, attackers could distribute malicious updates that execute within trusted client environments. This would not directly expose encrypted vault data directly, but it could enable endpoint compromise, credential harvesting after decryption, or service disruption. Similarly, weaknesses in operational controls, logging, or access management at the vendor level can affect customers’ security posture.
Organisations can manage these risks by:
- Evaluating vendor security posture, certifications, and independent audits.
- Reviewing incident response capabilities, updating policies, and logging practices.
- Planning for contingency and breach scenarios that account for third-party dependencies.
Vendor and supply-chain risks account for a significant share of enterprise breaches, as illustrated below:
Source: Verizon Data Breach Investigations Report, 2025.
Practical Guidance for Safe Usage
The strongest technology cannot save users from poor practices. Here’s what to consider:
For Individuals
- Use a long, unique master passphrase that isn’t reused elsewhere.
- Enable multi‑factor authentication (MFA) using hardware tokens or authenticator apps instead of SMS codes.
- Keep devices updated and free from malware; local compromise often precedes vault compromise.
- Regularly review and rotate stored credentials, especially after breach alerts.
- Avoid storing decrypted copies or exporting credentials in insecure formats.
For Organisations
- Enforce centralised governance, combining password managers with SSO and role‑based controls.
- Incorporate logging and anomaly detection for vault access and credential usage.
- Conduct regular security awareness training around phishing and credential reuse.
- Audit password policies, ensure MFA is mandatory on high‑risk systems, and monitor for tokens or credentials in public leak databases.
Operational discipline, as much as the tool itself, determines safety. Even well-configured password managers can fail if organisations ignore governance, logging, or MFA enforcement.
Conclusion
Password managers are not flawless, but they remain one of the most effective ways to reduce credential risk. Their success depends on strong master passwords, MFA, and consistent operational practices. Careful application, not just the technology itself, determines whether these tools become a real safeguard.
At Cyberkach, we make cybersecurity clear and understandable. Stay ahead of credential threats, breaches, and protection strategies by subscribing to our blog or joining our newsletter for expert guidance delivered straight to your inbox.