How Secure Are Password Managers? Understanding Encryption and Zero Knowledge

If you or your employees have been wondering, “Are password managers safe?” you’ll want to pay very close attention.  

Because today, we’re going to reveal how a FIDO-2 compatible password manager offers the safest, most hacker-resistant way to protect your data.  

This is a must-read if recent stories about the 3X increase in attacks against password managers have you worried. 

Without real facts, you’ll have to sift through conflicting advice from many so-called experts - all sounding the alarm about password managers. 

And that’s not a spot you want to be in. 

Before we talk about how to secure your most sensitive accounts, let’s talk about how password managers work in 2025. 

How do password managers work?  

Between social media ad SaaS apps, your employees may be juggling more passwords than they can handle. According to our internal surveys, the average business user keeps track of 191 passwords, seven (7) times higher than the reported 27 claimed by industry reports. 

If you’re reading this, you’re likely familiar with password management. But are your employees equally savvy? Below, we highlight common questions about password managers. If you aren’t sure how many your employees can confidently answer - your business may be at risk. 

What’s a master password? 

A master password is the key that unlocks a digital vault, an online version of a storage locker or safe deposit box. This is where you store important documents like tax records, business licenses, Social Security cards, vaccination cards, loan documents, and insurance paperwork. 

It’s critically important that your master password is strong because it serves as the first line of defense against unauthorized access.  

How do password vaults work?  

Password managers store your login credentials and other sensitive information in encrypted vaults.  

Your master password is required to derive the key that encrypts and decrypts your vault. Secure by Design password managers use advanced hashing techniques like PBKDF2-HMAC-SHA256 to derive the encryption key.  

The derived key from PBKDF2-HMAC-SHA256 is then used with AES-256 to encrypt your vault data i.e. stored passwords. This converts your passwords from plaintext to ciphertext (which makes them inaccessible to prying eyes).    

The best and safest password managers operate on a Zero Knowledge model. This means your master password and sensitive vault data are known only to you – and no one else. 

Can I use a password manager to generate my passwords? 

The answer is yes.  

But not all password managers are created equal. 

The best password managers allow you to customize password creation to comply with industry best practices. 

This includes creating passwords of sufficient length and incorporating a combination of upper and lower-case letters, symbols, and numbers. 

Do password managers encrypt just passwords? 

The most secure password managers encrypt both passwords and stored URLs. 

URL encryption converts plaintext URLs into cipher text – so the URLs are unreadable to bad actors.  

So, even if the encrypted data is accessed, there is little insight into the specific services or accounts linked to stored credentials. 

Debunking myths and security concerns 

Are password managers a single point of failure? 

While it’s true a password manager can constitute a single point of failure, the best and safest password managers take a multi-layered, defense-in-depth approach towards data security. This includes: 

• The use of advanced encryption: Encryption methods like AES-256 ensure your vault data gets the highest level of protection. 

• Continuous security updates: This ensures the latest cryptographic methods are implemented and vulnerabilities are addressed promptly.  

• Local storage of encryption keys: This allows users to retrieve passwords offline, ensuring seamless access during network outages or periods of poor connectivity. 

• The availability of advanced MFA options: Authenticator apps like Google Authenticator, biometric multi factor authentication, and hardware tokens like YubiKey offer greater protection against phishing and account takeovers. 

Can password managers be hacked? The truth behind the scary headlines 

Yes, password managers can be hacked – but so can anything else. 

No tool is 100% foolproof: If you use a weak master password or fall for an AI-based phishing scam, your data could be compromised. But with just a few simple steps, you can turn your password manager into an impenetrable fortress: 

• Use a trusted password generator to create a strong, unique master password. 

• Add emojis to make your password stronger (if you’re a Windows 11 user, Microsoft just made it easier to type emojis) 

• Enable FIDO-2 based biometric MFA (multi factor authentication), the gold standard for MFA endorsed by NIST and CISA. 

Here’s what happens if your employees continue managing passwords the old-fashioned way:  

• Wasted hours resetting forgotten passwords – resulting in lost productivity 

• Reused passwords across multiple accounts - which guarantees hackers can access all your corporate data by hijacking just ONE account 

• Identity theft, system lockouts, and empty bank accounts after a security breach – leading to operational disruptions, legal penalties, and reputational damage

Ultimately, password managers make it computationally prohibitive to access your business data, which means more security and peace of mind for you. 

I use Google Password Manager (GPM) and have never been hacked: Why convenience may not be your safest choice  

So, is Google Password Manager safe? 

Many people think so: Currently, it’s the most popular password manager in the world.  

So, if your employees use Google Password Manager and have never been hacked, we understand the feeling of “Why fix what isn’t broken?” 

That said, you deserve better than relying on luck as a security strategy. Here are the top five (5) reasons trust in the Google brand may put your business data at risk: 

• No Zero Knowledge encryption: Unlike Secure by Design password managers like LastPass, Google doesn’t use Zero Knowledge encryption. This means it can potentially access passwords for ALL your accounts. 

• Unknown security standards: Unlike LastPass, Google has offered little transparency about its security infrastructure, and its security practices haven’t been evaluated by independent third parties. This means there’s no way to verify Google’s claims about data privacy. 

• Susceptibility to AI-driven malware attacks: Threat actors are now using AI to create infostealer malware powerful enough to bypass Chrome security. This has resulted in the theft of millions of passwords from Google Password Manager. 

• No advanced FIDO2-based MFA: As of 2025, Google Password Manager doesn’t support hardware security keys, the most phishing-resistant form of MFA.  

• Limited password generator functionality: Google’s password generator is far less customizable than the generators of Secure by Design password managers like LastPass. It also has hit-and-miss reliability, with users reporting that it may not pop up when needed. 

So, how secure is a password manager? The surprising truth that will change how you protect your passwords 

For months, news headlines have been warning about hackers executing prolonged, multi-staged attacks against password managers. 

This fear campaign ironically puts your data at greater risk. 

Here's why: The real danger isn’t in using a password manager – it's in NOT using one. Without a password manager, your employees will be left juggling hundreds of passwords and relying on memory to remember their logins. They may be tempted to use easily guessable passwords to cope with the sensory overload. 

That’s EXACTLY what hackers are counting on.  

So, the question isn’t whether password managers are perfect – they're not. The question is whether they’re the best option available to protect your data in an increasingly volatile threat landscape. 

And the answer is clear: With a Zero Knowledge model and FIDO-2 functionality, they are. 

Is Google Password Manager better than LastPass? 

But before we get to Zero Knowledge and FIDO-2, let’s address the elephant in the room: Is Google Password Manager better than LastPass? 

There’s no question about it: Google Password Manager (GPM) is free, convenient, and user-friendly.  

To appeal to casual users, Google even rolled out new security improvements in Q1 2025. 

The Identity Check feature now makes face or fingerprint authentication mandatory when accessing saved passwords and passkeys with Google Password Manager away from trusted locations. 

While this is a worthy addition to the Android security framework for GPM users, LastPass has taken a more comprehensive approach, integrating best-in-breed security controls into our new purpose-built, highly available security infrastructure.  

Our technologically sound, battle-tested security fortress has earned us recognition as G2’s Spring 2025 Leader in Password Management, Dark Web Monitoring, Passwordless Authentication, Biometric Multi Factor Authentication, Single Sign-On, Web Security, and Risk-Based Authentication. 

We’re also a 2025 Titan Business Award winner in the IT: Business to Consumer category. Even Ask.com recommends LastPass as a secure password manager for Chrome users. 

At LastPass, we understand the pressure to do more with less. You’ve got to land new clients, outpace the competition, and keep the lights on. But here’s the hard truth: ONE data breach could cost you everything – your reputation, business, and hard-earned money. 

That’s where a Zero Knowledge password manager like LastPass comes in, offering an easy way to protect your business without sacrificing convenience. And most importantly - it’s also affordable. 

Zero Knowledge keeps your business safe – even when you’re not watching 

LastPass operates on a Zero Knowledge model, which means it has NO access to your passwords or other sensitive data. In our Zero Knowledge system, data is encrypted locally on your device before transmitting to our servers.  

Basically, there are three (3) key elements to Zero Knowledge. 

• Encryption: a two-way process that converts your plaintext data into unreadable ciphertext 

• Hashing: a one-way function that converts your password into a fixed length hash  

• Salting: the addition of random values to your password to make it harder to crack 

As mentioned above, your master password is used as an input to a key derivation function like PBKDF2 to generate an encryption key. This is the same key that also decrypts your vault.  

When you first set up your vault and create a master password, that password is salted and hashed. The resulting hash and the salt are then stored in the vault’s database. 

Meanwhile, your password is hashed and salted during each login attempt. The newly generated hash is compared to the stored hash. If they match, access to your vault is granted. Throughout the entire process, your original plaintext master password is never exposed or stored – this is the heart of Zero Knowledge security. 

The Zero Knowledge encryption duo that keeps hackers out 

LastPass employs AES-256 encryption and 600,000 rounds of PBKDF2-SHA-256 hashing plus salting to protect your data. AES-256 is considered virtually uncrackable and approved by NIST and CISA for protecting sensitive federal and military assets.  

Essentially, AES-256 is considered military-grade encryption. It’s a symmetric encryption algorithm that uses a 256-bit key to encode data. AES processes data in blocks, and each block is always 128 bits in size (fixed). 

AES also supports three key lengths - 128, 192, or 256 bits. The longer the key length, the more secure the encryption.  

With 256 bits, there are 14 rounds of encryption and more than 1.1 × 10^77 potential key combinations, making it practically impossible for brute-force attacks to succeed.  

How Zero Knowledge and Advanced MFA work together to help you win the security game 

MFA is compatible with a Zero Knowledge model. 

By supporting the most advanced MFA options, LastPass ensures your business can implement the level of security it needs.  

For example, LastPass supports contextual authentication, which dynamically adjusts the authentication process based on real-time contextual signals such as device location, login time, or user behavior.  

If an unusual login attempt is detected, LastPass will prompt for additional verification or block the attempt altogether. This type of MFA combines strong security with usability by using intelligent risk assessment to grant or revoke access permissions. 

Finally, LastPass supports FIDO2-based MFA, the gold standard for authentication. Here’s why FIDO2 matters for your business: 

• AI has democratized cybercrime, enabling even the most minimally skilled hackers to launch sophisticated and devastating attacks. Legacy or SMS-based MFA is powerless against the newest credential-based, SIM swap, MFA fatigue, and AiTM (adversary-in-the-middle) attacks.  

• FIDO2 hardware security keys like YubiKey meet stringent global security standards like PCI DSS 4.0, GDPR, HIPAA, and DORA. YubiKey is also FIPS 140-2 validated and DOD (CMMC) Level III and FedRAMP compliant. FIDO2-based MFA helps your business meet its compliance obligations easily – without your needing to hire more staff. 

• FIDO2 security keys like YubiKey are both phishing and ransomware resistant. They support the Zero Trust approach of “Trust nothing, verify everything.” Authentication requires a physical touch of the YubiKey, ensuring that only legitimate users can initiate access.  So, even if your employees are tricked into visiting a fraudulent site, the YubiKey won’t authenticate because it recognizes a mismatch in domain origin. 

As a G2 leader in the “best biometric authentication software” category and the first password manager to achieve FIDO2 server certification, we have your back. 

With FIDO2 based MFA, you get more than security – you get peace of mind, happier employees, and less stress. 

Regular security audits ensure your data is safer than ever 

As a Zero Knowledge password manager, we don’t just promise security – we prove it through regular assessments by independent third parties. This ensures compliance with Zero Knowledge principles, encryption standards, and data protection regulations.  

At LastPass, we build trust through transparency. 

How Dark Web Monitoring outsmarts hackers 

At LastPass, our Dark Web Monitoring works round the clock to protect your business. 

Your employees will receive instant alerts if their credentials are found on the Dark Web. They will then be prompted to update their passwords with stronger, more secure alternatives. 

To align with Zero Knowledge principles, our Dark Web Monitoring tool never exposes your unencrypted passwords. 

The password manager that’s redefining security 

Many free or cheap password managers are built for convenience – not security. 

At LastPass, we’re committed to your privacy and security. So, don’t settle for “good enough.” Take charge by working with a password manager that prioritizes Security by Design. 

And because we want you to be confident in your investment, we created a password management ROI calculator to help you explore how LastPass can help prevent data breaches, lower IT support costs, and boost employee productivity.  

When you’re ready to experience the peace of mind enjoyed by millions of our customers, try a 14-day trial of LastPass FREE (no credit card or commitment required).