Password managers are undeniably better than reusing "password123" — but they're not invincible. The LastPass breach of 2022, where attackers stole encrypted password vaults, was a wake-up call. Let's be precise about where the real risks are.
Attack surface #1: Your master password
Every password manager is only as strong as its master password. If that password is weak, guessable, or reused anywhere else, attackers can decrypt your vault offline at their leisure. The rule: your master password should be at least 20 characters, entirely unique, and ideally a random passphrase (four random words strung together are both memorable and highly secure).
Attack surface #2: The device itself
If your phone or laptop is compromised with malware before you unlock your password manager, the attacker can capture passwords as they autofill — bypassing encryption entirely. This is called a keylogger attack. The defense: keep your OS and apps updated, and never install software from unofficial sources.
Attack surface #3: The vendor's infrastructure
The LastPass breach demonstrated that even reputable vendors get attacked. The saving grace: well-designed managers use zero-knowledge encryption — your passwords are encrypted locally before upload, so even if their servers are breached, attackers only get scrambled data. Check that your manager explicitly uses zero-knowledge architecture (Bitwarden, 1Password, and others do).
Attack surface #4: Browser extensions
Malicious browser extensions can intercept passwords before they're encrypted. Regularly audit your installed extensions and remove anything you don't actively use or recognize.
The bottom line
Password managers remain the single best thing most people can do for their security posture. Use one. But pair it with a strong unique master password, two-factor authentication on the manager itself, and a clean device. That combination makes you dramatically harder to target than the vast majority of users.