PSA: Password managers are probably the most secure way to create and manage strong passwords, but they are not bulletproof. In particular, one security setting may be too weak in some managers, which could give attackers the ability to get user passwords in certain situations.
If you are using a password manager, you should definitely check the setting that determines how quickly it clears the copied text from the clipboard, since stealing information from this location is a common tactic for attackers.
Some password managers like Bitwarden and Keeper never clear the clipboard with default settings. This means that once you use a password with any of these managers, your username and password remain on the clipboard indefinitely, accessible to any other application on your system. PC world writes that the use of cloud clipboards may allow other applications to access this information even if users are not pasting text.
The option to allow your password manager to clear your clipboard after a certain amount of time is found in Settings in Keeper and NordPass and Settings > Options in Bitwarden. You can find it in every manager’s desktop app, mobile app, or browser extension. NordPass defaults to 30 seconds and other password manager developers would be wise to change their defaults to something similar.
Over the past few months, two password managers have come under attack, including LastPass, which was attacked in December. At first, the company said that this was not a concern among ordinary users, but later that month it was revealed that attackers had access to usernames and encrypted passwords. It would take a determined hacker to decrypt the passwords, but it’s not impossible. LastPass users should at the very least change their passwords and maybe consider a different password manager.
Earlier this month, Norton Password Manager withstood a less serious but still dangerous attack. Someone used a credential stuffing attack to make massive login attempts using a set of usernames and passwords stolen from other data breaches. Unlike the LastPass incident, no one hacked into Gen Digital’s internal systems (formerly Symantec and NorthLifeLock), and anyone using two-factor authentication should be safe.
When changing your password manager’s clipboard settings, it’s also a good idea to familiarize yourself with other security settings. They allow users to control things like login methods, how often the manager blocks, how it handles authentication keys, and other important features.