Fact Checked by 
Password managers like 1Password are the new targets for hackers, according to a new report. Picus Security has revealed that according to its latest research, 25% of malware now targets these password stores.
A majority of password managers will have some form of additional security before you’re able to access them. For instance, on iPhones, the web browser Firefox will ask for Face ID before unlocking its built-in password manager. However, on PC, this is unprotected if you’re logged in, making it a potential target.
Some other apps will also leave this unprotected once logged in, but the discovered malware is also digging deep into operating systems like Windows. According to the Vice President of Picus Labs, Dr. Suleyman Ozarslan, malicious actors are programming malware to perform all manner of attacks.
In the press release, Dr. Ozarslan said, “Threat actors are leveraging sophisticated extraction methods, including memory scraping, registry harvesting and compromising local and cloud-based password stores, to obtain credentials that give attackers the keys to the kingdom.”
Applications like 1Password will have a “master password”, which once acquired, can cause major damage. However, the news might not slow down the adoption of the software.
As mentioned above, browsers now come with their own built-in password managers. Applications like LastPass and NordPass are ever popular due to the ever-rising need for complex passwords that even the user won’t remember.
How to fight back against password manager hackers
It’s recommended that you apply two-factor authentication (2FA) to any highly important accounts. This can tie in with an authenticator from Google, which generates a rotating string of numbers that need to be input before access can be granted. At the most basic level, text messaging 2FA should be turned on.
While passwords are constantly at risk, companies like Microsoft and Apple are slowly trying to migrate their users away from them. Passkeys or biometric IDs are becoming more prevalent, and in 2024, Microsoft removed passwords for 1 billion users. The Seattle giant also has a list of banned passwords on its Azure cloud service.
Picus Labs evaluated and processed 1, 094, 744 pieces of malware throughout 2024. Through these, it found over 14 million “malicious actions” embedded in them. Interestingly, they found that there was “no significant increase” in “AI-driven malware” in 2024, despite the concerns surrounding the technology and cybersecurity.
