Double blind password refers to a secure way to store passwords within a password manager app that keeps the real password hidden from both the app and the user. This method is a recommended solution for those who want the convenience of a password manager app without the potential risks of a security breach.
The following tutorial will explain exactly how to setup and use the double blind password method for your most sensitive online logins.
In a world where news of a new breached database occurs every week, it seems risky to put all your password eggs in a single password manager app basket.
Hear me clearly here…
I still highly recommend you use a good password manager app to help you create strong passwords and store them securely.
But I also realize that many people are hesitant to take the step to secure their passwords because:
- They don’t trust password manager apps. Despite the security measures of a password manager app, it’s understandable that you wouldn’t want to trust one company with passwords to all of your logins!
- They think it’s just too complicated. It’s easier to just stay with your less-secure passwords than try to migrate to a new method that seems a bit risky anyway.
Do either of these sound familiar?
If so, you’re in the right place.
Using the double blind password strategy that you’re going to learn here, you’ll be able to take advantage of stronger passwords that are blind to both you and the password manager app.
Note: Some of the links in this article are affiliate links, which means that at no extra cost to you, I may be compensated if you choose to use one of the services listed. I only recommend what I personally use, though, and my desire is to help you improve your online security.
How a Double Blind Password Works
Before I go into a written explanation, I strongly encourage you to take 5 minutes to watch this video. In it, I explain exactly how a double-blind password works, using language and visuals that make it easy to understand.
Make sure to subscribe to the All Things Secured YouTube channel!
The premise of a double blind password strategy is that neither you nor the password manager app know the full password.
You’re creating a strong password that is stored using a password manager software and then you’re adding a unique identifier that only you know.
When done correctly, the password that is being stored in the password manager vault isn’t the actual password.
Without the extra key that is the unique identifier you added, the password being stored in the secure vault is useless.
It’s a double blind password because you don’t know the first half of the password and the password manager software doesn’t know the second half.
This creates an incredibly secure password creation system where:
- The actual password is never stored anywhere;
- You’re still able to create strong, unique passwords for each online login;
- Even a malicious keystroke logger (that hackers might use) won’t be able to detect the password.
That’s how a double blind password works. Now, let’s get to the nuts and bolts of how to set it up and use it.
Double Blind Password Setup Tutorial
While the initial setup of this kind of password adds a few extra seconds to the process, I promise you it’s worth the effort.
I recognize that there are a number of great password managers on the market today. The one I use and recommend is 1Password, which is what you’ll see me use in this tutorial.
Double Blind Setup with 1Password (Tutorial)
Let’s pretend that you’re setting up a new Facebook account and you want to use the double blind password strategy with 1Password.
Here’s how you would do that.
First, with 1Password already installed on my computer, when you reach the entry to create a password, choose the one that 1Password suggests.
Once you’ve selected “Use Suggested Password”, you’ll be prompted to save that in your 1Password Vault.
Select “Save”.
Now that 1Password has saved the suggested password, and before you click “Sign Up”, you will now add your unique identifier. This could be a word, a set of numbers or anything else you want.
I suggest a 4-8 character combination of numbers and letters. Your unique key must be something you can easily remember!
Once you click “Sign up”, Facebook will save your new password that includes both the strong string of characters that 1Password suggested along with your unique key.
1Password doesn’t store your real password.
Once you’ve done this, however, how would you go about using this password?
Real-Life Use Case Tutorial – Facebook
In keeping with the Facebook example, let say you now want to login to your new account using the double blind password strategy.
When you reach the Facebook login page, the 1Password browser extension will automatically show you the available logins that are in your vault. Choose the appropriate login.
Once 1Password has filled in the password for you, click on the hidden password and type in your unique key that you set above.
If done correctly, you will automatically be logged in to your Facebook account.
There’s only one problem that sometimes arises that I want to address below.
Important Password Setting to Change
Once you set up a double blind password with your password manager app, you might notice one annoying problem:
The password manager will continually try to ask you to save this “new” password”.
Thankfully, there is a workaround here. This works for 1Password, although not every password manager app offers this functionality (i.e. Dashlane doesn’t).
If you go into the 1Password settings and click on the “Browsers” tab, you’ll find the password autosave setting.
This setting default is on, which is what you probably want, but in this case we don’t want the password manager to keep asking us about our double blind password.
So you can make exceptions for certain domains. In this case, I’ve put in “facebook.com” so that anytime I’m logging into Facebook using my unique key, the software doesn’t ask me to save this new password.
Boom!
That’s the simple fix. 🙂
You Shouldn’t Know Your Password…
…and neither should your password manager app.
This is the power of the double blind password strategy. The sad reality of our online world today is that a memorable password is also a weak password.
If you can recall all your online login passwords from memory, you either have a photographic memory or your passwords suck.
Similarly, if a hack into your password manager app file would ruin you, the risk is too great.
A double-blind password gives you the ability to create secure passwords using a password manager app like 1Password while keeping the true password secret.
It’s only a strategy, but it’s one you should definitely consider using.
Interesting! THanks for the tip! It makes sense to use this strategy for email, banking, etc. Thanks!
I’m glad you found it useful, Rachel!
What a great and reassuring idea!
Thanks, Jim
Thanks, Jim! I’m glad you found it useful 🙂
The double-blind password strategy is brilliant.
Some Anti-Virus Software has a Password Manager included in the paid-for package. How good is this, compared to a stand-alone Password Manager? Is it easier to have it all in one package?
Thanks, Peter! I hope you find good use with this strategy.
As with any software, some offer a better set of features than others. That said, you should be fine with the password manager that comes with your antivirus software package. It may not have all the bells and whistles that you’ll find with a standalone like 1Password or Dashlane, but it still gets the job done.
Dear Josh, do you think it’s enough secure to use the Chrome native password manager when combined with double-blind passwords? THANKS!
Depends on how you define “enough”, honestly. Yes, it’s definitely the next level of security above the Chrome native password manager, and for most people, that should be more than enough. 🙂
Should you also use 2 factor verification as well as double blind passwors? I do not have a password manager yet but feel I should!
Each of these are just added layers of protection. Having 2FA is great, but having 2FA and strong passwords is slightly better.
This sounds great, but wondering if you are getting up there in age and are mainly getting a password manager to make life easier for your estates chosen pOwer of attOrney, execuTOr, children etc. ? How does this affect them as my ChOsen emergency contacts and being able to access my accounts if something catastrophic happens? Thxs!
Great point, Melissa! This is an excellent way to make life easier for end of life scenarios. Make sure that your will contains the information to your password manager or it’s locked away somewhere else or given to one of your children. Either way, it will give them immediate access to all of your accounts without having to create a long document.
What happens when I’m at a friend’s house and want/need to get into my bank (or facebook account)? How will a password manager/double-blind password help is I’m away from my own computer and have to input a password at someone else’s system (or even a public system)?
If you have your phone, you can pull up the password from your password manager app there (and then add your unique double-blind code).
It’s not convenient, but I would argue that you probably shouldn’t be logging in to your bank account on a public or even a friends’ computer. You should only be doing that on your own device.
Wow. This is a great idea. I am looking at using 1Password and saw the link to explain double-blind. Thank you for sharing these great ideas. Ann 🙂
My pleasure, Ann! I’m glad you found it useful.
Great Idea Josh!
The only thing is how do you stop the password manager from suggesting to update the concatenated PWD?
Many Thanks,
Hichem
There are settings where you can turn off the autosave feature or, if you’d rather, you can turn off autosave for specific URLs (if you still like the update feature for other reasons). I hope that helps, Michem!
If you switch devices, example get a new pHONE, how do you take the passwords with you?
Thank you!
Using a password manager app like 1Password, you can easily download the app on the new phone, sign in and download your encrypted vault. It will require you to put in your Master Password and confirm with 2FA if you hopefully set that up, but other than that you’re good to go! It’s not hard at all.
Thank you for the great strategy.
Have one question though.
What if you need to update all your passwords and want to use the update all feature? Will you have to NOT use that since you won’t be able to add your unique ID at the end?
Most banks and investment accounts (i.e. your sensitive accounts) won’t work with the automatic password update feature on any password manager app. You’ll have to manually go in to change the password, at which point you can still set up a double-blind password.
JOSH,
very helpful information. However until covid hit i use to travel a lot.
What about password protection when travelling overseas? I’ve avoided using 2F identification because sometimes I can’t even receive a text with a one time code. I also always try to use a VPN but this also doesn’t work in some countries. Will 1password and the Double Blind trick you mention work everywhere around the world?
Great questions, Brent. My first response related to 2FA is that you probably shouldn’t use text message 2FA. I recommend either an authenticator app or a security key like Titan or Yubikey. Those work wherever you are and aren’t depending on a phone number.
Second, a VPN should work in all countries, although there are places such as China and the Middle East where they actively block VPNs. Still, if you’re willing to patiently try different protocols and servers, it will eventually connect.
And finally, yes, both password manager apps and the double blind password strategy will work in whatever country you go to. It is not dependent on location in any way.
Wow a really useful article. Interesting too. Keep it up and looking forward to many such.
Thanks so much, Vidhan.
Josh, great idea, but I don’t understand point #3 above: “Even a malicious keystroke logger (that hackers might use) won’t be able to detect the password.”
Why not? If they’re logging my keystrokes, wouldn’t they log both the password manager’s part and my part of the password?
Yes, this is true, but you’re assuming they also have access to your password manager vault, which in itself is quite difficult. There are also other methods to add these extra keystrokes that don’t require using the keyboard.
Hi Josh,
I really liked the idea. However, IF a HACKER got my passwords FROM the password MANAGER can’t he just use BRUTE force strategies to guess and add my additional “double-blind” part? Especially if it’s 4 characters long.
Thanks
Sure. There is no such thing as 100% un-hackable security. However, considering the effort a hacker would have to take to get into your password manager, to then have to brute force guess…he/she is probably going to look for easier targets.
The point of these strategies is to make you as unattractive of a target as possible.
hey Josh, appreciate the great security advice ! my question is, with the double blind method do you use the same double blind pw for all your accounts ? that also sounds more risky then having alternative double blind pws for your most important accounts, but is obviously harder to remeber them all.
love your idea as it adds another layer of security. I’ve been ‘password manager’ user for a long time and while in the beginning i wasn’t keeping there my most important passwords, after some time I gave up and started using for all. I ‘love’ how people are trying to make idea look bad. if you set up password manager properly with 2fa and strong password, plus you do ‘double blind’ strategy for most important things, i am sure that you are pretty safe. if nothing safe as much as you can be in online world. hackers who are able to get into your wallet with all steps above and figure out your passwords, they will not waste their time on you. They are so capable that they will go after bigger players, not my petty cash i have.
Thanks, Mike. Glad you found it useful!
‘brute force’ what? you cannot ‘brute force’ something that doesn’t exist. they could get your original password (even that it would take forever) but after that they cannot do anything. you could also make this ‘dobule blind’ more challenging like add at the beginning, or after first character, or after third.. But even just adding at the end I’m sure you are pretty safe. they would need to that you are using ‘dobule blind’ strategy, then try to login and after few tries would be locked. So, this is pretty safe strategy. Thanks josh
if i have a password manager in my virus protection APP do i need to discontinue that for 1password to be fully effective. the password manager in my anti virus app works for only some logins but not others. Does 1 password work for all logins?
Thanks
I tried this on one of my financial sites. I had the password manager create the password and then added a 5 digit unique ID at the end. the prompt box came up asking to save the password so i did thinking i could go then into the password manager and remove the last 5 digits.
i went into the password manager and it never saved the password with the 5 extra digits i added, only the password that was generated ( not sure why) but that is what i wanted anyways.
when i logged back into the site it had saved password including the 5 extra digits (good) but that 20 digit password was already in the password box so i didn’t have to input the unique id. i’m not sure why the 15 digit password stored in the password manager wasn’t automatically put in the password box in lieu of the full password stored by the site. now i have to remember not to add the unique ID to the end of the password on that site.
bottom line is my password manager has a 15 digit password and the site has a 20 digit password, exactly how i wanted it, but i don’t have to add the extra 5 digits because somehow (i’m assuming the site puts them in) they already there.
pay close attention to how your new secure password is saved and what is being saved by the site, by the password manager and if you do or do not have to enter a unique id to enter the site as it may already be entered for you.
Thanks for the heads up, Mike. Are you sure that your internet browser isn’t automatically saving your passwords as well?
josh, thanks for your reply.
i am using the Firefox lockwise password manager at the current time (i plan on updating soon). i just investigated the issue and found that the lockwise password manager created an entirely new entry with the full password and no userid (not sure why unless maybe the url was a bit different. many of these sites just redirect you to the new site). the new password was never saved in the original password manager entry. I had to copy and paste the new password without the 5 extra digits in the original password manager entry. that should have given me pause as to why it didn’t change but being the first time i tried it i thought that maybe i had just done something wrong or out of order. that’s also why the full password from the new entry was already in when i reentered the site to test the new password.
i deleted the original password manager entry and edited the new entry by entering the userid and removed the 5 extra digits (like i thought would have to do the first time and now when i go to login the site it brings up the correct password and then i have to add the 5 digits as you do in the article.
Bottom line is that the password manager creating a new entry with the full password in lieu of updating the existing one in password manager entry threw me off, otherwise, your method worked exactly as intended.
thanks again for your response and helpful security tips.
mike
Hi
I’m an OLDIE and purchased 1PAssword manager but a bit confused on something. 1PWM creates a new password which is great but my original password is still available for me to use if i wish if i say to the site that i’ve forgotten so can then change. is the only thing that’s really protecting me is that someone with access to my computer wont be able to see the long-on and password used because i’m not manually entering the password but 1PWM is doing behind the scenes? Is that the benefit? I also read above about someone who’d used double blind and he didn’t think it had saved the extra digits but in fact it did – am I right here? I want to use for my bank etc so do I need to turn off auto save in the account ? Thanks.
If somebody has direct access to your computer, they still won’t be able to see the password 1Password puts in or the extra digits, but theoretically they could just reset the password via your email account if it was open on the computer. This is one reason why I recommend using 2-factor authentication where available. This is not “reset-able”.
Hi Josh – many thanks for you’re response. Yes, I think 2 fac tor authentication is the way to go. Regards.
Hi, sorry just one question please: Is it possible to have 2 factor authentication only apply for selected accounts eg for say bank accounts but not everything else?
Thank you.
google “strong password generator plus” and use that to create unique usernames and passwords. Also, you will want to see what info the website needs to reset your password if a hacker just goes the route of stating they forgot the password. Sometimes it is as simple as emailing you a link, so then your email account becomes the most important password you need to contain (use mfa to secure email). other times the forget password link might ask for your answer to a security question. i always answer my security questions with some set formula using the characters in the question and an additional passphrase tacked on, such as “Where were you born?” Answer: wn5892 (used first and last letter of question along with a number that has meaning to me). Don’t ever answer security questions with the real answer, or your double-blind password will be as simple as somebody looking up where you were born. use mfa as a second line of security, and don’t ever have websites remember your device to skip the mfa. as a third line available on some sites, have a text alert sent to your phone for each time a user logs into your account. i have an alert for each time a purchase is made on any of my banking/credit cards as well. just a few suggestions.
Great thoughts here, Chris. Thanks for sharing!