Password Manager Breaches: Should You Worry as a User?


Disturbing reports of high-profile data breaches involving popular password managers have become more frequent. LastPass and Norton Password Manager were recently hacked, which has raised concerns about the security and reliability of using such tools to store sensitive information.

These security breaches can naturally make anyone nervous about the safety of their data. But these concerns can be alleviated when you understand how to better protect your sensitive data by using a password manager like Enpass, which syncs your data without sending anything to Enpass servers. With Enpass, it’s impossible for your data to be stolen in a LastPass-style breach, where hackers attacked a single cloud server containing the passwords of every LastPass user.

Why do hackers target vendor-hosted, cloud-based password managers?

Password managers that store the data of millions of users in a central cloud, their proprietary cloud, are a honeypot for hackers. If they can break into these servers and steal millions of password vaults, they could potentially access every password of every user and then use those passwords to access bank accounts, email accounts, etc. 

This is what happened to LastPass users late last year.

Hackers were able to download the encrypted vaults, and now hackers only need to crack each vault’s master password — which can be accomplished by a computer in just a few hours when master passwords aren’t strong, unusual, and unique.

Vaults with weak master passwords are at a greater risk. The multi-factor authentication (MFA) you encounter when signing into an online password account will also not be able to protect these vaults as they’ve already been stolen from behind the company’s security.

So how can password managers still be safe?

You can take critical steps to safeguard your identity and sensitive information. For example:

1. Use a strong, unique master password

Your master password is the key to accessing your password manager, so it is vital to choose a strong and unique password that is difficult for hackers to guess or crack. Avoid using common words or phrases; consider using a combination of letters, numbers, and special characters. A 12-character password takes 62 trillion times longer to crack than a 6-character password, so even if your vault is compromised, a strong and complex password makes it much more difficult to decrypt and read your data.

2. Enable additional security measures

Many password managers offer additional security measures, such as account-key or keyfile support ( like in Enpass). These extra measures add more randomness to the vault encryption. Unlike multi-factor authentication, using a keyfile further protects your data from brute-force attacks if hackers have already copied your encrypted vault. So it’s wise to choose a password manager that supports the use of keyfiles along with a strong master password.

3. Consider using a password manager with decentralized data storage

This is perhaps the best step you can take to safeguard your passwords and protect your accounts. Password managers that give users a choice of where their data is stored are far less attractive to hackers because it removes the rich target of a single server full of password vaults for them to attack.

Enpass is uniquely feature-rich and uniquely secure

Enpass doesn’t even have a centralized cloud for storing user data. As an Enpass user, you have the freedom to choose your own trusted cloud accounts (like iCloud, Google Drive, Microsoft OneDrive, Dropbox, Box, etc.) to store and sync your encrypted password vaults, which provides you with multiple extra layers of security authentication. Alternatively, you can keep your vaults on your own server (using WebDAV or NextCloud) or even completely offline, syncing directly between your devices over your own Wi-Fi network at home or work.

If you’re using Enpass and syncing through a personal cloud account, a hacker would have to…

  • Target you personally (not a server full of millions of passwords)
  • Know which cloud services you’ve chosen for storing your vaults
  • Discover the credentials to those cloud accounts
  • Get past each cloud account’s multi-factor authentication
  • And know your Enpass master password
  • (Plus, there’s that keyfile option if you want yet another layer of authentication)

Enpass is not only based on truly zero-knowledge architecture but also has zero access to your encrypted vaults. Enpass has no way to reach your data since it’s stored under your control. So the risk to you is zero if Enpass’s company servers are breached. And Enpass Business clients, can choose to keep data within company infrastructure or on the company OneDrive/Sharepoint. This reduces the risk of your data being exposed. 

Enpass is available on Mac, Windows, iOS, Android, and Linux, and can even be downloaded in a portable format that lives on a USB drive, enabling access to your passwords and personal data from multiple devices and platforms, providing convenience and flexibility.

Enpass supports biometric authentication, including fingerprints and facial recognition, to help protect your passwords and personal data.

Enpass includes Breach Monitoring, so you can stay one step ahead of hackers by receiving alerts when breaches are reported for sites you’ve stored in Enpass. This allows you to take swift action, such as changing your password, to prevent any damage before it’s too late.

Enpass enables users to share vaults with other users within their organization or family. This can be helpful for teams that need all need login access for shared accounts or resources.

Enpass automatically audits passwords, alerting you of weak or duplicate passwords so you can take steps to improve your security. For business users, this can decrease the risk of password-related security breaches within your organization.

Enpass is ISO/IEC 27001:2013 certified, and undergoes periodic security audits, and complies with regulations and data protection laws, like GDPR and CCPA. This helps organizations to meet their compliance requirements and ensure the security and privacy of their sensitive data.


Enpass uses AES-256 encryption, a widely used and trusted standard for data encryption. Read about security in Enpass

Experience the Enpass advantage for yourself

Download the free desktop app and try it for yourself. It’s time to give your data the security it deserves.