Password managers have become a common part of everyday digital life, helping users handle hundreds of online accounts. They simplify authentication and reduce the need to remember complex credentials, yet the same centralization that makes them convenient also concentrates risk. Modern platforms from Apple, Google and Microsoft all ship with built-in password managers, and many users rely on third-party apps for the same purpose.

As a result, password managers now hold a significant share of the world’s authentication secrets. This creates a dual reality: they help reducing password reuse and encourage stronger credentials, but they also represent a single point of compromise. For attackers, they are an attractive target with a high payoff. For law enforcement and forensic specialists, they can provide lawful access to a suspect’s digital footprint and may serve as the starting point for broader password recovery efforts.

How many users?

Here’s the elephant in the room: estimating how many people use password managers is very difficult because there is simply no single measurement standard. Surveys rely on self-reported behavior, while different vendors may count registered accounts, paid subscribers or app installations. These metrics are not directly comparable, so any estimate should be treated as approximate. Still, even rough estimates matter for forensic work because they indicate how often investigators are likely to encounter stored credentials on devices or in the cloud.

Reports from Security.org in 2024 suggest that roughly one third of U.S. adults use some type of password manager, whether built-in or third-party. This number is a rough approximation, but it aligns with the steady adoption of platform-integrated solutions. Browser and operating system market share provides a more reliable usage numbers: Chrome accounts for about 70% of global browser activity, Safari (using Apple’s OS-wide keychain storage) for around 13%, and Edge for 4-5% more. Because these browsers already include integrated password managers such as Apple Keychain, Google Password Manager and Microsoft’s sync service, their reach likely exceeds the adoption of standalone applications.

Third-party password managers also hold significant portions of the market, though their numbers vary widely depending on how usage is counted. Business Wire reported in 2024 that Bitwarden surpassed 10 million users worldwide. According to company statements, LastPass claims more than 30 million registered users. Industry analyses place 1Password in the range of millions of active customers, while Dashlane, Keeper and NordPass maintain smaller but notable user bases. Together, LastPass, Bitwarden, 1Password, and Dashline cover the largest slice of the market for third-party password managers. These figures are best understood as rough indicators rather than precise counts, because install numbers, enterprise seats and active daily users differ substantially.

How do the numbers work?

As already mentioned, it is hard to compare the numbers due to the lack of comparable data points. However, it can be estimated that built-in password managers (Apple, Google, and Microsoft combined) are used by approximately 55% of all users of password managers. Among them, Google Password Manager (~32%) is more popular compared to Apple (~23%), while Microsoft (~4-5%) is a distant third. This also corresponds to the global usage statistics for major Web browsers.

Third-party apps like LastPass, Bitwarden, 1Password, Dashlane, etc., make up the remainder. The same security.org report estimates LastPass having a market share of about 11%, Bitwarden ~10%, 1Password ~5%, Keeper ~3%, and Dashlane ~2%. These numbers reflect password managers primarily used by survey respondents.

For context, NordPass surveys estimate that individuals often manage well over a hundred personal passwords, plus many more for work. At the same time, multiple studies show that a majority of users still reuse passwords across services. These two trends help explain why adoption continues to rise despite the difficulty of producing accurate numbers. Even with the uncertainty, the available data shows that password managers are now used by a very large portion of the online population, and investigators should expect to encounter them frequently in modern forensic cases.

The dilemma: risks vs. benefits

From users’ standpoint, password managers provide several security benefits – and a few drawbacks. They automate the creation of unique, complex passwords and make it easier for users to follow recommended practices without having to remember large numbers of credentials. This reduces password reuse, which is one of the most common causes of break-ins. They also streamline daily use through autofill and cross-device syncing, lowering the temptation to fall back on weak or memorable passwords. Many managers now include breach alerts, password-health checks and the ability to store recovery codes or OTP secrets, creating a single place where users can maintain stronger, more consistent authentication habits.

We first addressed the topic of password manager security back in 2012, conducting research on 20+ different mobile apps and presenting our findings at the BlackHat conference in Amsterdam. It must be said that the situation back then was quite dire, and developers learned from their mistakes, but new risks emerged, and many of the old ones remain fundamentally unsolvable. We published a whitepaper based on that research.

At the same time, password managers introduce their own security risks. Centralizing all credentials behind a single master password creates a critical point of failure: once the vault is compromised, every stored account may be exposed. The risk increases when users also store OTP seeds or recovery codes, since these can enable complete account takeover in a chain attack. Password managers are therefore attractive targets for attackers, who frequently attempt to breach vault apps or the cloud services that synchronize them. Human-factor mistakes, such as choosing a weak master password, turning off two-factor authentication or falling for account-recovery phishing, further increase exposure. Cloud-sync mechanisms add another layer of risk, and their forensic implications are too broad to be discussed in this article.

Password managers and law enforcement

Password managers give investigators a ready view of a user’s accounts: usernames, passwords, URLs, and sometimes notes or recovery tokens. Those real credentials are highly valuable for forensic work because they expose recurring words, transformations and user-specific habits. Extracted passwords can be converted into targeted dictionaries, masks and rule sets that focus cracking efforts on likely candidates, improving success rates within a given timeframe compared with blind brute force. Currently, Elcomsoft Distributed Password Recovery supports all common password manager apps including KeePass, LastPass, 1Password, Dashlane, Bitwarden, Dropbox Passwords, Enpass, Kaspersky, Keeper, Roboform, Sticky Password, and Zoho Vault. Browser passwords, in turn, are extractable with Elcomsoft Internet Password Breaker.

Many password managers (built-in and third-party alike) sync through cloud services, which affects both opportunity and complexity. Apple’s iCloud Keychain, Chrome’s password sync tied to the Google Account, and Edge’s sync with Microsoft accounts are examples of platform-integrated flows; some third-party vendors such as Bitwarden run hosted vaults while also offering self-hosting. Cloud sync also increases risk: a cloud breach or account takeover can expose large numbers of credentials. Remote extraction is a complex, separate topic that requires both skills and specialized tools such as Elcomsoft Phone Breaker.

There are limitations, too. If the user follows recommended security practices and employs randomly generated, high-entropy passwords, there could be little or no pattern material for creating masks or rules. Vaults containing both human and machine passwords must be manually processed before one can analyze them for useful patterns, and there are currently no tools to automatically analyze such data sets and create patterns or rules for subsequent brute-force attacks. Some password managers store OTP seeds or encrypt fields in ways that limit what can be exported or reconstructed. In other words, while password managers are often the best starting point for password recovery, they do not guarantee reusable or easily exploitable material.

The practical implications

A typical workflow begins with gathering every available credential source from the device and any associated cloud services. This may include local vault files, browser-stored passwords, and CSV exports, as well as cloud-synced data such as iCloud Keychain entries, Google-synced Chrome passwords, or records from vendor-hosted vaults.

With a consolidated password list in hand, the next phase focuses on analysis and pattern building. Unfortunately, there are currently no tools to automatically generate effective rules from arbitrary password dictionaries, so human expertise is still essential. Converting vault data into plain text allows faster manual review, helping distinguish random, automatically generated strings from human-chosen passwords. Group entries are analyzed by shared characteristics such as base words, predictable suffixes, variants, or service-specific formats because these patterns give data points for constructing targeted attacks. Masks, hybrid wordlists, rule-based transformations, and automated mutations are then built from these observations to create focused and highly targeted attacks – the kind of attacks that are the most likely to succeed within a given timeframe. Since there are currently no good tools that could automatically create such rules from an arbitrary password list, human judgment and iterative tuning are still required.

For more information on using existing passwords in building password recovery queues refer to the following articles:

• Extracting and Using Stored Passwords from Web Browsers
• A Word About Dictionaries
• Building a Password Recovery Queue
• Breaking into Password Managers: from Bitwarden to Zoho Vault
• One Password to Rule Them All: Breaking into 1Password, KeePass, LastPass and Dashlane
• Password Reuse vs. Master Password: Two Sides of Password Managers