The Breach That Started With One Reused Password

In 2023, a single employee at Norton LifeLock's parent company, Gen Digital, reused a personal password across multiple accounts. Attackers used credential stuffing to compromise nearly 925,000 customer accounts. One password. Nearly a million victims. If you've ever wondered why use a password manager, that incident answers the question in brutal terms.

I've spent years investigating breaches, running phishing simulations, and training organizations on security awareness. The pattern is always the same. People reuse passwords. Threat actors exploit it. The damage snowballs. A password manager is the single most effective tool most people aren't using — and it's not even close.

This post breaks down exactly why password managers matter, how they protect against real attack vectors, and what to look for when choosing one.

Credential Theft Is the #1 Attack Vector — Period

The Verizon 2024 Data Breach Investigations Report found that stolen credentials were involved in over 77% of attacks against web applications. That number has held steady for years. Attackers don't need to hack your firewall when they can just log in.

Here's how it works. A data breach leaks millions of email-password combinations. Threat actors feed those credentials into automated tools that try them against hundreds of other sites — banks, email providers, corporate VPNs. If you've reused a password even once, you're a target.

This is called credential stuffing, and it's devastatingly effective. A password manager eliminates the core vulnerability by generating unique, complex passwords for every single account you own.

Why Use a Password Manager: The Real-World Case

What a Password Manager Actually Does

A password manager stores all your credentials in an encrypted vault, locked behind one strong master password. It generates random, unique passwords for each site. It auto-fills login forms so you never have to remember — or type — a password again.

That means even if one site gets breached, every other account stays safe. No reuse. No domino effect. No credential stuffing attack chain.

It Protects Against Phishing, Too

Here's something most people don't realize. Password managers are surprisingly effective against phishing attacks. When you visit a fake login page — one designed to look exactly like your bank or your company's portal — your password manager won't auto-fill. It checks the URL. If the domain doesn't match, nothing happens.

I've run phishing simulations for organizations of every size through platforms like our phishing awareness training for organizations. In my experience, users who rely on password managers are significantly less likely to hand credentials to a spoofed page. The tool does the verification a stressed, hurried human brain won't.

The $4.88 Million Lesson Most Organizations Learn Too Late

IBM's 2024 Cost of a Data Breach Report pegged the global average cost of a data breach at $4.88 million. Stolen credentials were the most common initial attack vector, and breaches involving them took an average of 292 days to identify and contain.

Think about that. Nearly 10 months of a threat actor living inside your systems. All because someone reused their Netflix password on a corporate account.

For small and mid-size businesses, these numbers are existential. You can't absorb a multi-million-dollar hit. Deploying password managers across your organization is one of the cheapest, highest-impact security controls available.

What About Multi-Factor Authentication?

Multi-factor authentication is essential. I recommend it for every account that supports it. But MFA alone isn't enough — and it was never designed to compensate for weak or reused passwords.

Attackers have adapted. SIM-swapping bypasses SMS-based MFA. Adversary-in-the-middle frameworks like EvilProxy intercept MFA tokens in real time. CISA explicitly recommends using both strong unique passwords and MFA together as complementary layers.

A password manager makes the "strong unique passwords" part effortless. Pair it with hardware-based MFA, and you've built a defense that stops the vast majority of credential-based attacks.

"But What If the Password Manager Gets Hacked?"

This is the objection I hear most. It's a fair question, especially after the LastPass breach in 2022 where encrypted vaults were exfiltrated. Here's my honest answer.

That breach was serious. But the attackers got encrypted data. Users with strong master passwords and no password reuse for their vault credential were largely protected. The encryption held.

Compare that to your alternative: dozens of reused passwords stored in a browser, a sticky note, or a spreadsheet called "passwords.xlsx" on your desktop. I've seen all three in real incident investigations. The password manager — even with its risks — is orders of magnitude safer than the alternatives.

How to Minimize Password Manager Risk

  • Use a long, unique master password — at least 16 characters, ideally a passphrase.
  • Enable MFA on the password manager vault itself.
  • Choose a manager that uses zero-knowledge architecture — the vendor never sees your master password.
  • Keep the software updated. Always.

What to Look for When Choosing a Password Manager

Not all password managers are equal. Here's what matters when you're evaluating options for yourself or your organization.

  • Zero-knowledge encryption: Your vault is encrypted locally before it ever touches the cloud.
  • Cross-platform support: It needs to work on every device your team uses — desktop, mobile, browser extensions.
  • Secure sharing: Teams need to share credentials without emailing them in plaintext.
  • Breach monitoring: Some managers alert you when a saved credential appears in a known data breach.
  • Admin controls: For organizations, look for policy enforcement, user provisioning, and audit logs.

NIST's Digital Identity Guidelines (SP 800-63B) recommend against password complexity rules that lead to predictable patterns. Instead, they favor long, unique passwords — exactly what a password manager generates.

Password Managers Inside a Zero Trust Strategy

If your organization is moving toward a zero trust architecture — and in 2026, you should be — password managers are a foundational piece. Zero trust assumes no user or device is trusted by default. Every access request is verified.

That verification starts with identity. Weak or reused passwords undermine the entire model. You can't verify identity if the credentials themselves are compromised. Password managers ensure every authentication attempt uses a strong, unique credential, supporting the "never trust, always verify" principle at its most basic level.

Training Your People Is the Other Half

Deploying a password manager without training your people is like installing a deadbolt and leaving the key under the mat. Your employees need to understand why it matters, how social engineering works, and what credential theft looks like in practice.

I've built our cybersecurity awareness training program around exactly this kind of practical, real-world education. It covers phishing, ransomware, social engineering, and yes — password hygiene. Because tools only work when people actually use them correctly.

The Bottom Line: You Already Know the Answer

You already know why use a password manager. You know you reuse passwords. You know your employees do too. You've read about the breaches. You've seen the numbers.

The gap isn't knowledge — it's action. Pick a password manager. Deploy it. Train your team. Enable MFA on top. These aren't aspirational goals. They're baseline security hygiene that stops the most common attack vector on the planet.

Your organization doesn't need a bigger security budget. It needs fewer reused passwords. A password manager gets you there today.