A friend of mine — smart, works in finance, uses a password manager religiously — got a call from his bank about suspicious activity. Turns out someone had accessed his crypto exchange account and cleaned it out. The attacker hadn't guessed his password. They already had it.
He'd been a LastPass user.
This isn't a story about him being careless. He did everything right: long master password, unique logins for every site, MFA enabled. And he still got hit — because the risk wasn't in what he did. It was in where he put his trust.
The Single Point of Failure Problem
Password managers solve a real problem. The average person now manages around 168 passwords, according to research cited by ESET's security blog WeLiveSecurity, a figure that's grown 68% in just four years. Nobody can hold that in their head, so we hand it all to one app. Which means we've traded dozens of small risks for one enormous one.
The same centralization that makes password managers convenient also concentrates risk. For attackers, they are an attractive target with a high payoff. ElcomSoft
That's not an argument against using one. It's an argument for understanding what you're actually signing up for.
What LastPass Taught Us (And What Most People Missed)
The LastPass breach of 2022 is the clearest case study we have, and most people learned the wrong lesson from it.
The common narrative: "Passwords were encrypted, so it was fine." The reality is messier.
In a second stage of the attack, a senior DevOps engineer's personal computer was compromised, and the attacker used a keystroke logger to obtain the employee's credentials and access an internal vault holding further keys — enabling access to and exfiltration of a backup database and copies of some customers' password vault data, which included both unencrypted fields (such as some website URLs) and encrypted fields (such as usernames and passwords). Wikipedia
Here's the part that most coverage glossed over: the unencrypted URLs. Attackers could see which sites you had accounts on — without cracking a single password. That let them prioritize. Vaults containing cryptocurrency exchange URLs got attacked first. According to Wikipedia's account of the breach, researchers have linked thefts of more than $35 million to victims whose seed phrases were stored in LastPass. A larger heist of $150 million was also later connected to the same data theft.
The encryption held. The metadata gave it all away anyway.
The Counterintuitive Risk Most Articles Skip
Here's what nobody talks about: a password manager can make you worse at security, not better.
When every password is auto-filled, you stop noticing when something feels wrong. You stop recognizing whether you're on the real site or a convincing clone — because you never type anything manually anymore. The friction that used to slow you down and make you think is gone.
Phishing pages that trigger autofill have become a known attack vector precisely because users have been trained to trust whatever their manager fills in. If the form is on the wrong domain and your manager doesn't catch it, you just handed over your credentials without a second thought.
There's also the master password problem. If a user's master password is weak, reused, or compromised, an attacker could gain full access to their vault. This is why a strong, unique master password is non-negative. Yet most people treat the master password like any other password — something to remember easily, maybe with a small twist on an old favorite. SpecopsSoft
What Actually Reduces Your Risk
Knowing the threat model changes what advice is worth following. Here's what genuinely moves the needle:
Use a strong, truly random master password — and write it down physically. Yes, write it down. A piece of paper in your home is not accessible to attackers in Russia. Your brain's tendency to pick predictable passwords is. Store the written copy somewhere safe, not Post-it-on-your-monitor safe.
Enable MFA on your password manager and treat MFA codes like passwords. Don't use SMS-based MFA if you can avoid it — SIM swapping is a real attack. Use an authenticator app, or better yet, a hardware key.
Pay attention to what your manager doesn't fill in. If you're on a site you use regularly and your manager hesitates, stop. Check the URL manually. That hesitation is the system working.
Never store cryptocurrency seed phrases in a cloud-based password manager. Ever. That lesson has been paid for in real money by real people. Seed phrases belong on paper, in a fireproof safe, offline.
Consider whether you need a cloud-synced manager or a local one. Local managers like KeePassXC don't expose your vault to server-side breaches. The tradeoff is convenience — you manage your own backups. Whether that tradeoff is worth it depends on your threat model, not on which product has the nicest UI.
The Risk You Can't Fully Control
Here's the honest part: some risk lives outside your hands entirely. You can have perfect hygiene and still be affected by a vendor's security failures — their unpatched servers, their employees' personal laptops running old software, their misconfigured alert systems that miss GuardDuty notifications for weeks.
The UK Information Commissioner's Office found that LastPass "failed to implement sufficiently robust technical and security measures," and the impact of the breach was felt by customers as late as December 2024 — when hackers stole $12.38 million in cryptocurrency from LastPass users. IT Pro
Password managers are still, on balance, better than the alternative of reusing passwords or keeping them in a spreadsheet. That's a low bar, and clearing it doesn't mean they're safe. They move risk around; they don't eliminate it. Knowing that is what lets you make genuinely informed choices — like which manager to use, what to store in it, and what to keep off it entirely.
The one caveat worth sitting with: even with all of this in place, you're still trusting a third-party company's internal security culture. You can't audit that. You can only watch how they respond when something goes wrong — and decide whether their track record earns your vault.
Sources:
- WeLiveSecurity (ESET)
- ElcomSoft Blog
- IT Pro (LastPass ICO Fine)
- Wikipedia – 2022 LastPass data breach
- Specops Software