Most people treat setting up a password manager as a finish line. They install the extension, import their old passwords, and assume the problem is solved. That thinking leaves several serious attack surfaces completely unaddressed.

A password manager does reduce risk significantly — credential reuse across sites is one of the most common causes of account compromise, and a good manager eliminates it. But the vault itself, the master password, the sync mechanism, and the browser extension all introduce their own vulnerabilities. Each deserves deliberate attention.

Choosing and Protecting Your Master Password

The master password is the single point of failure for your entire credential store. Most password managers use your master password to derive an encryption key locally before anything touches their servers — Bitwarden, for example, applies PBKDF2-SHA256 with 600,000 iterations by default, and 1Password uses PBKDF2 combined with a separate 128-bit Secret Key that never leaves your device. This architecture means a weak master password is a genuine catastrophe, not just an inconvenience.

A strong master password should be long and unpredictable but also memorizable. A passphrase of five or six randomly chosen words — generated with a tool like Diceware, which uses physical dice and a word list to eliminate any digital randomness — produces a password with roughly 77 bits of entropy at six words. That’s meaningfully harder to brute-force than a shorter, complex password like T!m3r0ck$. The key word is randomly: phrases you construct yourself from a sentence or song lyric tend to draw on a much smaller effective vocabulary than true random selection suggests.

Never store the master password inside the vault itself, in a browser’s built-in password saver, or in a plain text file. Write it down on paper and keep that paper in a physically secure location. That sounds old-fashioned, but a piece of paper locked in a fireproof safe is not vulnerable to remote attacks.

Hardening Two-Factor Authentication

Adding two-factor authentication to your password manager account is mandatory, not optional. The question is which second factor to use and how to secure it.

TOTP (Time-based One-Time Password) apps like Aegis on Android or Raivo on iOS are substantially more secure than SMS codes. SMS is vulnerable to SIM-swapping attacks, where an attacker convinces a mobile carrier to transfer your number to a SIM they control. The FBI’s Internet Crime Complaint Center received over 1,600 SIM-swapping complaints in 2021 alone, with losses exceeding $68 million. A hardware security key — a YubiKey or similar FIDO2/WebAuthn device — is stronger still, because it requires physical possession and is immune to phishing by design: the key verifies the origin domain before signing, so a fake login page gets nothing.

Store your TOTP backup codes securely and separately from the vault. The standard mistake is saving them inside the password manager they’re meant to protect. If you get locked out of your vault and your TOTP codes are inside it, you have a circular dependency with no exit. A printed copy in the same physically secure location as your master password works well.

Emergency Access and Account Recovery

Most password managers offer emergency access or account recovery mechanisms, and these are worth configuring carefully. Bitwarden’s Emergency Access feature lets you designate a trusted contact who can request access to your vault after a configurable waiting period — you can set that window anywhere from one day to 99 days, giving you time to deny the request if it’s fraudulent. 1Password’s Emergency Kit is a printed document combining your email, Secret Key, and space to write your master password; it’s designed to be stored offline.

Browser Extension Security

The browser extension is the most exposed component of any password manager setup. It runs in a privileged browser context, interacts with every page you visit, and handles credential autofill — a process that can be manipulated.

Autofill is convenient but carries real risk. A technique called credential harvesting through hidden form fields involves a malicious script on a page creating an invisible login form that the extension fills automatically without any user interaction. Bitwarden mitigates this with a setting to require user interaction before autofilling, which is worth enabling. More broadly, disabling autofill entirely and using keyboard shortcuts to fill credentials manually — only on verified pages — reduces the attack surface considerably.

Browser extensions also update automatically and are subject to supply chain attacks. The 2022 compromise of the node-ipc npm package illustrated how a widely trusted dependency can be weaponized. Sticking to officially published extensions from the password manager’s own site or verified store listing, and reviewing extension permissions periodically, limits exposure. Some security-conscious users run the password manager as a separate desktop application and copy-paste credentials rather than using the browser extension at all — this is more friction but removes the extension entirely from the threat model.

Vault Hygiene and Ongoing Maintenance

A password manager accumulates entries over years, and that accumulation becomes its own problem. Old accounts for services that no longer exist, shared credentials that multiple people know, passwords generated before you started using the manager — all of these represent hidden risk.

Scheduled vault audits matter. Most password managers include a built-in health dashboard: Bitwarden’s Vault Health Reports flags reused passwords, weak passwords, and accounts found in Have I Been Pwned’s breach database. 1Password’s Watchtower does the same. Running these reports quarterly and acting on the results — deleting dead accounts, rotating old passwords, upgrading short passwords to generated ones — keeps the vault from becoming a liability over time.

Pay particular attention to shared credentials. If you’ve ever given a colleague, family member, or contractor a password directly — outside a formal sharing mechanism — rotate it. Shared passwords that exist outside the vault’s audit trail are effectively unmanaged. If your password manager supports secure sharing (Bitwarden Send, 1Password’s shared vaults), use those mechanisms instead of messaging apps or email, which often cache content indefinitely.

Syncing, Cloud Storage, and Local Alternatives

Cloud-synced password managers are the default choice, and for most users the trade-off is sensible: a well-implemented zero-knowledge architecture means the provider cannot read your vault even if they wanted to. Bitwarden publishes its source code and has undergone independent security audits — the 2022 audit by Cure53 identified no critical vulnerabilities. This transparency is a reasonable basis for trust.

For users with elevated threat models — journalists, activists, executives targeted by nation-state actors — local or self-hosted alternatives deserve consideration. KeePassXC stores your vault as an encrypted local file using AES-256, with no cloud sync by default. You control where the file lives and how it’s backed up. The trade-off is operational complexity: syncing across devices requires a separate solution like Syncthing or a self-hosted cloud, and there’s no provider to call if you lose access. Self-hosting Bitwarden (or the community-maintained Vaultwarden server) offers a middle ground — the familiar interface with server infrastructure you control.

Whatever sync approach you choose, encrypted backups of the vault file are non-negotiable. A vault corrupted or accidentally deleted with no backup is a complete loss. Bitwarden’s export function produces an encrypted .json file; KeePassXC exports to its .kdbx format. Store at least one copy offline, on a USB drive kept in a secure location, updated on a defined schedule.

Protecting Against Phishing Targeting the Vault Itself

Attackers increasingly target password manager users directly. Fake login pages mimicking 1Password or LastPass attempt to harvest master passwords. In 2022, LastPass suffered a breach in which encrypted vault data was exfiltrated — the risk then shifted to offline brute-force attacks against weak master passwords, which is why password strength at the top level matters so much.

Always access your password manager through the official desktop application or by navigating directly to the known URL, never through a link in an email. Bookmark the legitimate login page. If you use a hardware key for 2FA, the phishing problem is largely neutralized for the authentication step — but your master password is still worth protecting because it derives the encryption key regardless of authentication method.

The attack surface for password managers is smaller than managing credentials manually, but it isn’t zero. The master password for a Bitwarden account protected with only 100,000 PBKDF2 iterations — the old default before it was raised in 2023 — could be cracked at roughly 2.7 million guesses per second on a modern GPU, according to benchmark data published by hashcat’s development team.