Password managers make our online lives simpler — and safer — but only when they’re used correctly.
We asked cybersecurity professionals to share their most important advice for keeping password managers truly secure. Their insights reveal practical steps anyone can take to protect sensitive data — from enabling multi-factor authentication to avoiding risky browser settings.
Before you log in again, take a moment to learn how the experts safeguard their own credentials.
Enable Multi-Factor Authentication for Password Managers
As a cybersecurity expert, I believe password managers are a vital tool for enhancing online security. They simplify the process of managing strong, unique passwords for multiple accounts, which is crucial in today’s digital landscape.
However, it’s important to use them correctly to maximize their benefits. One crucial tip for using password managers securely is to enable multi-factor authentication (MFA).
MFA adds an extra layer of security by requiring not only your master password but also a second form of verification, such as a code sent to your phone or a biometric scan.
This significantly reduces the risk of unauthorized access, even if your master password is compromised.
Additionally, ensure you choose a reputable password manager that offers robust security features and regularly updates its software to protect against emerging threats.
Benjamin Knauss, Chief Information Security Officer
Secure Password Managers with Unique Passwords
Password managers are critical for the ongoing safety and security of systems and accounts. They allow one to use unique passwords for all systems, reducing the impact of a single account compromise.
The biggest security tip for using a password manager is to make sure to enable MFA for accessing your password manager.
It defeats the purpose of using secure password managers if you fail to secure that list properly.
Todd Welfelt, Senior Governance, Risk, Compliance, and Security Advisor, PacketWatch
Implement Strong Master Password and MFA
I have recommended password managers for years, as they remain among the safest options for managing credentials. They are significantly more secure than spreadsheets or sticky notes, which are still surprisingly common.
One client expressed concern about consolidating all credentials in one place. We addressed this by reviewing local encryption and ensuring that data is never stored in plain text, and then implemented multifactor authentication.
After seeing these safeguards in action, the client was comfortable adopting the solution firm-wide.
My primary recommendation is to secure your password manager with a strong master password and multifactor authentication.
A weak master password or lack of MFA undermines the security benefits of using a password manager.
Treat your master password as you would the keys to your most valuable assets.
Combining a strong, unique master password with MFA ensures you gain the full security advantages without added risk.
Brian Fontanella, Owner, Keystone Technology Consultants
Avoid Automatic Autofill in Browser Extensions
The LastPass breach in 2022–3 forced the whole industry to acknowledge a disturbing truth: No matter how reliable your password solution seems, it can become a single point of failure.
What happened in that attack was that criminals gained control of a LastPass developer account, and then from that control, they performed lateral movement to access user vaults and source code.
We had several customers asking us to war-game incident response within the first week. Everyone was on edge.
This wasn’t a mere phishing expedition; it was a planned sequence of crafty hops that probably took months to execute.
Now there are millions of ex-LastPass users out there with the awareness that in the wrong configuration and mode of operation, password managers are kind of like sticking a big target on your back.
No surprise then that my mistrust of “default safe” password managers is rather high.
They’re still enormously safer than the alternatives of (a) using the same weak password everywhere, or (b) putting paper password lists on your desk, but ideally we want least privilege with respect to the password manager as well as any other piece of software.
If there is one thing you could do that would have prevented most real-world cases of credential theft that I’ve analyzed, it’s this: Turn off the automatic autofill feature of your password manager browser plugin.
Only fill in your credentials when you explicitly ask it to.
The problem with autofill is that when you visit a site, the password manager fills in the credentials for any site it considers “similar enough” in domain, which allows clickjacking to get you with minimal effort, via intercepted mouse clicks, cleverly disguised form fields, taken-over forgotten subdomains, and so on.
We even helped a fintech reduce their cases of credential theft from three per month to zero, just by turning off autofill for their entire staff.
If you use KeePassXC or Bitwarden, you can unlock your vault, then explicitly paste the credentials for review. This protects you from the “I clicked on the wrong site” style of attack.
It costs one mouse click to save yourself from getting clickjacked off all your accounts.
Steve Morris, Founder & CEO, NEWMEDIA.COM
Final Thoughts
Even the most secure password manager can only protect you if you use it wisely.
Enabling multi-factor authentication, using a unique and strong master password, and avoiding risky features like autofill all dramatically lower your chances of a breach.
As the experts make clear — password managers are powerful, but they’re not magic. The true security comes from how you use them.
Next up: 5 Common Password Mistakes (and How to Fix Them, According to Cybersecurity Experts)
Leave a Reply