Posts: 757 +29
PSA: Password managers are probably the safest way to establish and manage secure passwords, but they aren't bulletproof. One security setting in particular is perhaps a bit too lax in some managers, which could give attackers a way to grab users' passwords in certain situations.
If you use a password manager, you should definitely check the setting that controls how quickly it clears copied text from the clipboard as grabbing information from this location is a common tactic of malicious actors.
Some password managers like Bitwarden and Keeper never clear the clipboard on their default settings. That means that once you use a password with either of those managers, your username and password sit in the clipboard indefinitely, accessible to any other application on your system. PCWorld writes that using cloud clipboards could let other apps access that information even if users don't paste the text.
The setting to make your password manager clear the clipboard after a set amount of time is found under Settings in Keeper and NordPass and Settings > Options in Bitwarden. You can find it in each manager's desktop app, mobile app, or browser extension. NordPass defaults to 30 seconds, and it would be prudent for other password manager developers to change their defaults to something similar.
Two password managers have suffered attacks over the last few months including LastPass, which was hit in December. The company initially said it wasn't cause for alarm among ordinary users, but later that month it revealed the attackers had accessed usernames and encrypted passwords. It would take a determined hacker to unencrypt the passwords, but it's not impossible. LastPass users should at least change their passwords and possibly consider another password manager.
Earlier this month, Norton Password Manager withstood a less serious but still concerning attack. Someone used a credential stuffing attack to make mass login attempts using a collection of usernames and passwords stolen in other data breaches. Unlike the LastPass incident, no one breached operator Gen Digital's (formerly Symantec and NorthLifeLock) internal systems, and anyone who uses two-factor authentication should be safe.
While changing your password manager's clipboard setting, it's also good to take a tour of the other security settings. They let users control things like login methods, how often the manager locks itself, how it handles authenticator keys, and other important features.