One common question we get at the DeRec Alliance is “Why can’t I just use a password manager to do what DeRec does?” It’s actually a great question.
First of all, it helps to know just exactly what is meant by the phrase “password manager.” In the same way that the DeRec Protocol can be used to backup/recover any secret (so it’s not just about mnemonic phrases, blockchain private keys, passwords, or any other secret), the phrase “password manager” actually refers to a broader class of credential management solutions that include the ability to stuff forms with data (aka “autofill”) and, in some cases, the ability to manage secrets that aren’t necessarily credentials. For example, many password managers have provisions for free-text notes fields as well as user-defined custom fields into which just about any secret can be poured. These fields are undoubtedly included in the full package of user data that password management solution providers encrypt both at rest and in transit.
So, password managers do more than manage and protect passwords and depending on which so-called password manager you pick, you might be able to use it as a way to protect yourself against the loss of any secret. Minimally, the phrase “password manager” is already on a path to obsoletion given the tech industry’s intention to eradicate passwords in favor of passkeys (two very different forms of credentials).
Today, there are two primary categories of these so-called password managers; (1) password managers that are built into the technologies we use and (2) third party password managers that, at our option, can be substituted for the built-in ones. The three main built-in offerings are:
- Apple Passwords (formerly “Keychain” or “iCloud Keychain”) found in all of Apple’s recent operating systems
- Google Password Manager found in Android and Google Chrome
- Microsoft’s unnamed password manager found in most Microsoft platforms including Windows 10/11 and the Chromium-based Edge browser. It’s worth noting that, as part of Microsoft’s discontinuance of support for Windows 10, support for password management in Windows 10 will also be sunsetted.
In contrast, third party password managers come from a growing list of vendors like 1Password, Bitwarden, DashLane, LastPass, NordSec, Norton, and others.
Whereas many third party password managers have provisions for protecting against the loss of non-credential type secrets (like a mnemonic phrase), the built-in password managers are more bare bones and generally lack the flexibility to robustly manage non-credential secrets. This article scratches the surface of those limitations (at least when it comes to Apple, but the other two suffer in the same way).
When it comes to using password managers, it’s very important to consider the following:
- If you don’t already have a personal password management manager strategy, you should change gears and consider one immediately. As the world continues its shift away from passwords to passkeys, it will be impossible to get by without the assistance of a password manager or roaming authenticator, the latter of which will be too inconvenient or too expensive for many end-users. Unlike the case with user IDs and passwords, there is no manual way to enter a passkey into a website or app that depends on passkeys for authentication. Today, virtually all sites and apps that support the passkey standard still offer the option to authenticate with user IDs and passwords (and additional factors). But, at some point, over the next 5-10 years, passwords should cease to exist for many sites and apps.
- If you’re a person who likes to keep their technology options open, we would recommend against a built-in password manager due to their lack of portability. For example, if you need to move from Mac to Windows at some point in your future, it will be harder to take your credentials and other secrets with you. However, most of the third party password managers are very multiplatform, covering multiple operating systems (desktop and mobile) and multiple browser technologies.
When we say portability, we mean the ease of shifting all of your credentials, secrets, and credential management skills from one platform to another. For example, from iOS to Android. When you use a third party password manager and have elected the option to sync your credentials to your other devices through the password manager’s cloud, all you need to do in order to start with a new device is install that same password management application (or browser extension) on that device and login to it. Within moments, all of your credentials should be synched from the password manager’s cloud to the new platform.
However, as convenient as that may sound, it’s important to understand how that convenience would not be possible were it not for those central clouds operated by each of password managers (or, in some cases, a central resource optionally operated by you or your company). The ability to keep your credentials and secrets in sync across multiple devices and browsers is wholly based on those centralized resources. Each of the password managers has their own cloud and Apple’s was even called iCloud Keychain at one point!
While these centralized resources are a strength of various password managers — serving as their synchronization hubs — any centralization of our most sensitive information introduces a variety of risks. For the most part, little is known or verified about these hubs. For example, how exactly is the information stored (what fields of data are encrypted and how are they encrypted) and who, if anyone, has performed audits on such disclosures? Who works on the clouds and what procedures are in place to defend against the possibility of source code tampering and how closely are such procedures audited? And so on.
None of this means that the password managers cannot be trusted. However, these and other valid points are regularly raised in blockchain and DeFi conversations about the benefits of decentralized versus centralized architectures. In terms of external threats, password managers are extremely high value targets for malicious actors. In February 2025, Picus Security released research showing “that 25% of malware targets credentials in password stores — a 3X increase from 2023.” Given the centralized nature of their synchronization hubs, password managers are especially juicy targets for malicious actors seeking opportunities for scalable exploits. In that release, Picus Security co-founder Dr. Suleyman Ozarslan said “threat actors are leveraging sophisticated extraction methods, including memory scraping, registry harvesting and compromising local and cloud-based password stores, to obtain credentials that give attackers the keys to the kingdom.”
Similar to the situation with MetaMask’s Profile Sync features, synchronization infrastructure is sometimes viewed by users and marketers as a form of backup infrastructure and, correspondingly, synched copies of sensitive information are sometimes viewed as backups. But there are plenty of what-if scenarios to consider. For example, while adequate post quantum precautions may be in place to prevent malicious actors from decrypting any sensitive information they’re able to exfiltrate, what about the chances that a malicious actor could corrupt that data (including synchronized credentials)?
The teams who are in charge of the various password management solutions have undoubtedly considered many such scenarios and what the remediation process should look like in the event that a recovery is necessary. But the more you stop to consider the number of scenarios for which the central password management solution providers haven’t advertised their standard procedures, the more you realize the degree to which you could be wholly trusting the safekeeping of your most valuable information to the control of others.
Ultimately, the best form of data backup and recovery for any solution involving end-user data — not just password managers — is not the solution itself. Such a backup and recovery strategy doesn’t cover you for a failure of the solution (which is entirely the point of backup and recovery). For decades, conventional wisdom suggests that backups are taken and stored out-of-band. The same should be true of password managers and end-users should be enabled to self-recover their most sensitive information — the credentials to all of their accounts and other secrets — from an infrastructure other than the one that could potentially experience a disruption. For this reason, the DeRec Protocol is extremely complementary to the function of a password manager. Here’s why:
- It is open and royalty-free. Any password management solution can offer DeRec capability to its end-users.
- The DeRec architecture involves no centralized components. While the centralized component of a credential management solution represents a very worthy target to malicious actors because of the opportunity for scale, that same opportunity for scale simply doesn’t exist with DeRec due to its decentralized nature (see What is Meant By “Decentralization” and Why It Matters to the Protection and Recovery of Secrets). Additionally, DeRec is not only absent of any centralized infrastructure, no secret is ever stored by the DeRec Protocol in its entirety anywhere. Every asset that is backed up is backed up in a highly decentralized fashion which in turn makes it virtually impossible for malicious actors to attack the protocol in a way that gains them access to an entire secret. Among other incredibly difficult layers of necessary exploits needed, malicious actors would minimally need to discover the identities of at least half the DeRec Helpers (see our FAQ: What is a DeRec Helper) that a user picked to protect their secret(s).
- Password managers could use DeRec to protect their entire vault (the container of the secrets) in a way that a user could be back in business with all of their credentials in short order. For example, if the synchronization hub starts to synchronize garbage, the password manager client could go offline and use the DeRec protocol to recover all of a user’s credentials from their DeRec Helpers, and stay in an off-line mode until the central cloud returns to normal operation.
In the same way that a password management solution cannot adequately take the place of a decentralized recovery protocol like DeRec, the DeRec Protocol is not competitive to the primary functionality of password managers. Given their complementary nature and the open and royalty-free nature of the Decentralized Recovery Protocol, the operators of the different password management solutions should consider how their client-side software modules can offer both DeRec Helper and DeRec Owner (see our FAQ: What is a DeRec Owner?) capabilities. In so doing, they would instantly marshall each of their customer bases into a giant DeRec network that can back up anything (not just credentials) while at the same time providing an out-of-band safety net for their solutions.