Proton
Subscribe by RSS

Is it safe to let your password manager autofill your password?

Kate Menzies

Share this page

Struggling to keep track of all your passwords? You’re not the only one. Password managers exist because it’s difficult to keep track of hundreds of logins and all their various passwords. It’s likely you have saved passwords on your devices for convenience: You might use the password manager built into your browser, software offered by a third party, or one of the cloud-based password managers working across multiple devices like iCloud.

A good password manager can suggest secure passwords(new window), store all of your login credentials safely, and then autofill fields instantly so you don’t need to type in your login details each time. They’re a very useful tool, and one that can help you strengthen your online safety if used correctly. However, there are some safety tips you should be aware of if you want to stay extra secure. In this article we’ll focus on how password autofill can affect your online security.

Is using a password manager safe?

First, let’s understand how a password manager works. Think of your password manager like a bank vault: It’s full of valuable resources, and both you and your service provider are responsible for protecting access to it. You can protect yourself by creating a strong master password or passphrase and using two-factor authentication (2FA). Your password manager can then store and protect those passwords.

One of the ways a password manager protects your data is by encrypting it using an encryption algorithm. All your logins, passwords, payment methods, notes and other data will only be accessible to you and the password manager’s servers. Some services offer the more secure option of end-to-end encryption, which prevents the company from accessing your data and ensuring only you can see it. When you’re choosing a password manager, it’s safest to choose one which offers end-to-end encryption, including of metadata. Proton Pass offers end-to-end encryption(new window) which makes all of your data and metadata unreadable when it’s stored in your vault. No-one can access it, not even Proton.

How does password autofill work?

Autofill is a feature in many password managers that lets you automatically populate fields on a website so you don’t have to manually type them in. Fields can include your username and password, but also your bank card details, 2FA code, and other data.

Generally speaking, password autofill is either automated or manual. When autofill is automated, your saved login and password will populate in the relevant fields of a website you’ve saved credentials for. When autofill is manual, your password manager will wait for you to interact with the fields by clicking or typing before it will autofill your password. 

Password autofill risks

Using automated password autofill means you don’t have to think about entering your credentials, but this is risky. Autofill will automatically fill any field on a webpage without your permission. For example, a malicious landing page may have multiple invisible fields which hackers can use to convince your password manager to autofill with your credentials. This can happen without your knowledge, and multiple passwords can be compromised by a single landing page. 

This is a well-known attack called an AutoSpill exploit(new window). In 2023, many password managers were confirmed to have been compromised using this exact exploit, including 1Password, LastPass, Enpass, Keeper, and Keepass2Android. It’s a vulnerability that many password managers simply didn’t have a rigorous enough autofill policy to combat.

But it’s actually incredibly easy to avoid. All you need to do is turn on manual autofill. 

Your password manager will always run background checks, examining the domain and verifying that no phishing elements are present. But using manual autofill creates an extra layer of security because it gives you a chance to check that you’re on the right website. 

Proton Pass uses manual autofill by default and only populates fields on domains you already trust. 

How can I keep my passwords safe? 

Ultimately, it’s up to you to make sure you’re staying safe online. One of the best ways you can do that is to use a trusted, secure password manager. Along with manual autofill, end-to-end encryption, and secure password suggestion, reliable password management software should offer:

The option to create passkeys

Passkeys(new window) make it possible for you to verify your identity online without using a password or passphrase. This means that instead of using a specific password, you can create a digital credential that’s tied to your logged in device. In effect, your password manager becomes the authenticator rather than your password. This is sometimes a more secure option than a password, but not every platform supports them. Proton Pass gives you the option to use passkeys when available.

Proactive protection

In the background, your password manager needs to be aware of data breaches and potentially compromised websites. Pass Monitor in Proton Pass(new window) scans the dark web for you to ensure none of your credentials have leaked, flagging any weak or repeated passwords, and preventing hackers from ever being able to access your account even if they’ve acquired some of your information.

Identity management

Your personal email address is almost like your online passport. A good password manager will not only protect the data and metadata that you save, it’ll help you create email aliases(new window) which forward emails into your inbox. Proton Pass easily generates hide-my-email aliases that can’t be connected to you, putting an extra layer of safety between hackers and your personal email address. If an alias address is compromised, all you’ll need to do is deactivate it.

Proton Pass is the only password manager that offers complete identity protection, using end-to-end encryption built by scientists at CERN. With Proton Pass, you’ll have access to:

Take the first step in protecting your passwords today. Get Proton Pass.

Protect your passwords
Skapa ett gratis konto

Related articles

A phone screen with a speech bubble with a phone number in it
en
Your email address and passwords aren't the only information hackers can use to scam you. Here's what someone can do with your phone number — and how to protect it.
A web application screen with an unlock icon in the bottom right corner
en
Your best defense against a data breach could be improving your web application security: Find out how Proton Pass can help.
Investigative journalist Vegas Tenold explains the gear he uses to protect his privacy and stay safe.
en
  • Privacy news
How Vegas Tenold stays safe
Follow investigative journalist Vegas Tenold as he explains his gear and how it keeps him safe from surveillance as he works in the field.
Coinbase, the largest Bitcoin exchange in the US, suffered a data breach
en
  • Privacy news
  • Proton Wallet
Coinbase hack reveals true cost of data collection
Coinbase employees sold sensitive personal information to attackers, including government IDs and BTC transaction history. Proton Wallet is built to avoid these risks.
Whistleblower's whistle. Journalists must use secure channels to communicate with whistleblowers.
en
Whistleblowers risk everything to expose the truth. This guide helps journalists keep their sources safe using secure tools like Proton Mail, Signal, and SecureDrop.
An image showing a phone screen with a child icon and three icons with '17+' '8-12' and '3-5' to indicate age ratings
en
Parents can help their children develop healthy screen habits by learning about dark design patterns — Proton investigates how