Vulnerabilities
Desktop password managers and browser based password managers are convenient, however they often do not provide any protection for stored passwords. If the computer is on, it is possible for another individual to access the password manager and read the user's password. This situation is improved slightly by requiring the user to enter a password to access the repository, however if the passwords are stored in an unencrypted fashion, it is still generally possible to obtain the passwords given local access to the machine.
Some password managers use a user-selected master password or passphrase to form the key used to encrypt the protected passwords. The security of this approach depends on the strength of the chosen password (which might be guessed or brute-forced), and also that the passphrase itself is never stored locally where a malicious program or individual could read it. A compromised master password renders all of the protected passwords vulnerable. This demonstrates the inverse relation between usability and security: a single password may be more convenient (usable), but if compromised would render all of the held passwords compromised.
As with any system which involves the user entering a password, the master password may also be attacked and discovered using key logging or acoustic cryptanalysis. Some password managers attempt to use virtual keyboards to reduce this risk - though this again is vulnerable to key loggers which take screenshots as data is entered.
Some password managers include a password generator. Generated passwords may be guessable if the password manager uses a weak random number generator instead of a cryptographically secure one.
A strong password manager will include a limited number of false authentication entries allowed before the password manager is locked down and requires IT services to re-activate. This is the best way to protect against the brute-force attack.
Password managers that do not prevent swapping their memory to hard drive make it possible to extract unencrypted passwords from the computer’s hard drive. Turning off swap, or installing more memory can prevent this risk.
Read more about this topic: Password Manager