Beyond end-user credentials such as user IDs and passwords, password managers are actually capable of managing a multitude of other secrets such as Colonel Sanders’ secret recipe for Kentucky Fried Chicken or a blockchain user’s account keys and associated pneumonic recovery phrases. On first blush, given how password managers keep their users from losing or misplacing their digital secrets, they seem perfect for blockchain users who are terrified of losing access to their public distributed ledger accounts and the cryptocurrency balances connected with them. For Bitcoin alone (never mind the rest of the public ledgers), most estimates suggest that roughly 20 percent of the circulating supply (worth approximately $388 billion when this article was written) is inaccessible to its owners due to lost or misplaced keys.

However, as subtly alluded to in a recent article on Forbes.com (see Millions Of Password Manager Users On Red Alert—Act Now To Stay Safe), most password managers involve an architectural feature that’s the equivalent of flypaper to threat actors.

The article quotes Picus Labs vice president Dr. Suleyman Ozarslan as having said “threat actors are leveraging sophisticated extraction methods, including memory scraping, registry harvesting and compromising local and cloud-based password stores.” Forbes noted that the researchers at Picus Labs found that, out of more than one million new malware samples analyzed, 25 percent were targeting credentials in password stores and that the so-called “threat actors” are “prioritizing complex, prolonged, multi-stage attacks that require a new generation of malware to succeed.”

The report was not a condemnation of password managers. Dedicated password managers are still highly recommended as a means to manage important digital credentials and other personal secrets. Minimally, they help end-users to get away from the extremely dangerous practice of re-using the same password across multiple online services while also synchronizing those secrets across various personal devices. Instead of a user having to remember a different set of login credentials for tens if not hundreds of different online services, password managers will not only autofill user IDs and passwords at the time of login, they typically offer support for advanced authentication workflows including those that include two-factor authentication, hardware-based keys (known as roaming authenticators), and passwordless passkeys. 

However, the passing mention of “cloud-based password stores” as a priority target of threat actors should not go unnoticed. Pretty much all password managers run a central cloud that handles the synchronization of your credentials and other secrets across your various devices. Some password managers also allow you to use your own central cloud or resource as a synchronization hub. It’s a huge convenience. But, compared to some arcane personal system that only you know about (like hiding your secrets under your blender), the bad guys know exactly how the different password managers are built, where to look for the central credential stores, and are hell-bent on breaking in because, as the Forbes article states, they’re “the keys to the kingdom.”

Architecturally, malicious actors are smitten with the centralization of anything that supports millions of users. They will tenaciously work a single point-of-attack in order to get to a trove of valuable and often sensitive secrets. The recent UnitedHealth breach — perhaps the biggest breach in American history given the number of people impacted (one out of every two Americans) — started at a single entry point. 

Although the central password stores of the major password managers have not been breached, there is no chance that these threat actors will relent. What’s the solution? There’s never a silver bullet. Almost by design, the bad guys are always one step ahead of the good guys (who are often locked into a reactive vs. proactive mode) making it difficult to anticipate the next sophisticated threat. But, architecturally, perhaps it’s time to consider how the antithesis to a centralized approach – in other words, a decentralized architecture – represents a potentially better option for the protection of important secrets (especially the most sensitive ones like blockchain keys and mnemonic recovery phrases). 

When secrets are decentrally managed in a way that there’s no central storage of them, malicious actors are not only deprived of an obvious target to hack, they’re also deprived of any opportunity for scale.The UnitedHealth breach is a good example of how the scale of the returns can be disproportionate to the hacker’s investment. When a system or architecture deprives malicious actors of their opportunity for scale, those actors are left to move along to other, softer and more scalable targets or to pursue individual high value targets. 

Particularly when it comes to the world of cryptocurrencies and non-fungible tokens (NFTs), there are certain high value targets (a.k.a. “whales”) that, if compromised, are worth the effort to unscrupulous thieves. Last year, Crypto.News reported that web3 investigator ZachXBT discovered a potentially suspicious transfer where a single whale may have been pickpocketed for more than 4,000 Bitcoin (worth $238M at the time). Although it isn’t known how the alleged hack was perpetrated, it’s proof that malicious actors will settle for high value targets in absence of scale if the payoff is big enough.

Here, again, decentralized architectures have a role to play in hardening such high value targets. For example, when a secret such as a blockchain private key or a wallet’s secret mnemonic recovery phrase is protected with the open Decentralized Recovery (DeRec) protocol, there’s no centralized target where multiple users can be scalably attacked.

Furthermore, every secret that’s protected with the DeRec Protocol is divided into dissimilar fragments that are encrypted and secretly sprinkled across the Internet in such a way that a malicious actor would have to physically discover and and decrypt at least half of them before the actual secret could be reassembled. In other words, instead of protecting each secret with a centralized (and easily targeted) architecture (as most password managers do), secrets that are under the management of the DeRec Protocol are protected with a decentralized architecture that makes them nearly impossible for attackers to target, let alone hack. 

So, when it comes to the idea of protecting blockchain private keys and wallet secret recovery phrases with a password manager, the operative question isn’t whether or not the password manager’s centralized architecture will ever get compromised. The question we should be asking is whether it’s worth it to take a chance on them when another, structurally safer approach exists. Could password managers one day be suitable for storing our blockchain keys and secret recovery phrases? Absolutely; once they begin to support the open DeRec Protocol (which they are all invited to do).