I’ve talked about the 2 password manager idea before in my post about what if your password manager gets hacked.
But I feel I need to give this idea its own post because of how seriously important it is.
What Is The 2 Password Manager Method?
It’s as the name describes, you use 2 password managers — one password manager for the important stuff and the other for the not so important stuff.
An important password is like your banking, email, retirement accounts, or any account that if stolen would feel like the world is ending.
A non-important password is everything else.
The reason why email gets grouped in the important category is that its the hub for resetting all passwords.
Someone who makes a living off YouTube might consider it an important password while someone who doesn’t might find it not important. At the end of the day, what each person considers important will vary.
Why 2 Password Managers?
Why 2 password managers? It’s the same reason you would not carry your birth certificate, passport, physical social security card or any important thing around with you everywhere you go.
Some things are more important than others and we take steps to protect them.
Password Managers Are Only Secure When Locked
Another thing to keep in mind is that your password manager is only secure when it’s encrypted – and it’s only encrypted when you’ve locked it or closed the app.
Many password managers decrypt the entire vault so that you can log into websites and use the app. With this in mind do you really need all your passwords exposed in one location? Is it necessary for your banking password to be sitting next to your Twitter password?
So long as you use a computer you trust there is nothing to worry about. But it does ring the “what if” bells that make you think. While most people should not worry… you still feel like you need to do something.
This is not meant to scare you but to make you more aware of how password managers work. Only use a computer you own and never unlock your vault on a computer you don’t trust. Also, keep a good antivirus and your computer updated.
How Often Are You Using Your Important Passwords?
What helped convince me of the 2 password manager method is how often I’m using these important accounts.
We’re living in a time where it’s easier to use the banking app on your phone then it is to go to their website or even deal with a real person. With fingerprint readers and FaceID, it makes logging into your bank app almost too easy.
Combine that with using email apps and you don’t need the passwords to these important accounts that often.
Other things like retirement accounts are services you might check monthly if not yearly. Do you need the password to such an important account always on the ready?
What Two Password Managers Should You Use?
I say for your non-important passwords go with a cloud-based password manager like 1Password, Bitwarden, LastPass, Dashlane, or whatever you like.
For the important passwords use a local password manager like KeePassXC. Then store it on Dropbox or any private file sharing service you want. This way you can use it on your mobile device and do not have to ever open it on your desktop computer unless you really need to.
Make sure to back up the local password manager to a flash drive for the off chance of a ransomware attack or any other unforeseen issues in the future. Once a year backups should be fine, if every account has a unique password there is no need to change it unless you think it’s compromised.
2 Password Managers Is Too Complicated
If you feel using 2 password managers is too much then consider using one password manager for the everyday stuff and for the important stuff write them down and keep them in a safe.
It’s the same idea and pretty much “hack-proof.” The only thing that you should do is make sure every password is unique.
I usually don’t like recommending writing down passwords because people are more likely to reuse passwords but if you give every account a unique password I see no issue. Well, there is the fire or other natural disasters that could happen, but we’re starting to split hairs now.
There is also the option of peppering your important passwords as described here.
In the end, there is no wrong way to go about this. The simple fact that you’re even using a password manager puts you miles ahead of most people. And the fact you’ve found this article means you are taking your security to the extreme and will find something that suits your needs. Congrats on being awesome!
Other Options
There are many ways to go about this…
- Use two online password managers, one for the important accounts and the other for non-important accounts. With Bitwarden and LastPass offering free accounts this might be worth it to some. Just switch between the accounts you need.
- Use one password manager for all passwords and then let the web browser store the non-important passwords for you. Probably the simplest method for most people.
I have used the password manager inside a web browser in parallel with KeePass for about two years now. I had always used KeePass before this. I did not plan for this to happen, I was just too lazy one day to look up a password for an account in KeePass, and after looking it up and logging in I decided to let the browser remember it, because I did not want to be bothered with this again. Of course, it was one of those not so important accounts, so I didn’t mind saving it in the browser. That’s how it started off.
The issue with this is that it invites disorganization, and you may get to a point where you no longer update the password in your main password manager, and given time you start to replace your main password manager with the one found in your web browser. If you allow yourself to get away with this, you end up with passwords and usernames in your web browser that are more up to date than those found in your main password manager. Then you ask yourself, do I have a copy of this in KeePass or not (or whatever your manager of choice is).
So I have stopped using the password manager inside the web browser to store my passwords. After removing 50 or so credentials from the browser that were duplicates of what I already had stored in KeePass, I still have 52 credentials I have not reviewed and deleted yet.
Another point with using the browser for password keeping is, when you log in on a site with an updated password you have to remember to click the “update password” button to update the password that’s stored in the browser. If you don’t, and sometimes even if you do, you may end up with duplicate or otherwise messy entries and you won’t know which one is more current for example. This can be caused by some of the “modern” login screens on some sites where you have to enter the email address first, then click “next” and then enter the password and click “ok” to log in, using two page views instead of just one to enter your credentials, or other such unconventional nonsense. This can throw off any good password manager that uses form field detection and automation for automatically filling out forms for us in order to save us from manual labor. Getting this wrong when trying to log in is not so bad, the worst that can happen is that you’re refused access. (Unless simulating key presses and lands on the “password reset” link or other such thing and activates it involuntarily.) But relying on this to update your stored credentials for that site can have unforeseen consequences. So I prefer to update all my passwords manually, so I know I get it right, and I always test it afterwards.
One other thing to keep in mind when using 2 different password managers is, if you want to keep records of previously used passwords for your sites, you may lose that metadata when you do export/import to merge the data from 2 different managers that use different formats. For this use case I would rather recommend using the same manager but with 2 different vaults, with or without pepper on top of those important account passwords.