For almost two years, Ars has advised readers to use a software-based password manager to ease the password fatigue that comes from choosing and securing dozens of hard-to-guess passcodes that are unique to each site or service. A research paper scheduled to be presented at a security conference next month underscores the hidden dangers of selecting the wrong products. The researchers examined LastPass and four other Web-based managers and found critical defects in all of them. The worst of the bugs allowed an attacker to remotely siphon plaintext passcodes out of users' wallets with no outward sign that anything was amiss. LastPass and three of the four other developers have since fixed the flaws, but the findings should serve as a wakeup call. If academic researchers from the University of Berkeley can devise these sorts of crippling attacks, so too can crooks who regularly case people's online bank accounts and other digital assets.