Double blind password refers to a secure way to store passwords within a password manager app that keeps the real password hidden from both the app and the user. This method is a recommended solution for those who want the convenience of a password manager app without the potential risks of a security breach.
The following tutorial will explain exactly how to setup and use the double blind password method for your most sensitive online logins.
In a world where news of a new breached database occurs every week, it seems risky to put all your password eggs in a single password manager app basket.
Hear me clearly here…
I still highly recommend you use a good password manager app to help you create strong passwords and store them securely.
But I also realize that many people are hesitant to take the step to secure their passwords because:
- They don’t trust password manager apps. Despite the security measures of a password manager app, it’s understandable that you wouldn’t want to trust one company with passwords to all of your logins!
- They think it’s just too complicated. It’s easier to just stay with your less-secure passwords than try to migrate to a new method that seems a bit risky anyway.
Do either of these sound familiar?
If so, you’re in the right place.
Using the double blind password strategy that you’re going to learn here, you’ll be able to take advantage of stronger passwords that are blind to both you and the password manager app.
Note: Some of the links in this article are affiliate links, which means that at no extra cost to you, I may be compensated if you choose to use one of the services listed. I only recommend what I personally use, though, and my desire is to help you improve your online security.
How a Double Blind Password Works
Before I go into a written explanation, I strongly encourage you to take 5 minutes to watch this video. In it, I explain exactly how a double-blind password works, using language and visuals that make it easy to understand.
Make sure to subscribe to the All Things Secured YouTube channel!
The premise of a double blind password strategy is that neither you nor the password manager app know the full password.
You’re creating a strong password that is stored using a password manager software and then you’re adding a unique identifier that only you know.
When done correctly, the password that is being stored in the password manager vault isn’t the actual password.
Without the extra key that is the unique identifier you added, the password being stored in the secure vault is useless.
It’s a double blind password because you don’t know the first half of the password and the password manager software doesn’t know the second half.
This creates an incredibly secure password creation system where:
- The actual password is never stored anywhere;
- You’re still able to create strong, unique passwords for each online login;
- Even a malicious keystroke logger (that hackers might use) won’t be able to detect the password.
That’s how a double blind password works. Now, let’s get to the nuts and bolts of how to set it up and use it.
Double Blind Password Setup Tutorial
While the initial setup of this kind of password adds a few extra seconds to the process, I promise you it’s worth the effort.
I recognize that there are a number of great password managers on the market today. The one I use and recommend is 1Password, which is what you’ll see me use in this tutorial.
Double Blind Setup with 1Password (Tutorial)
Let’s pretend that you’re setting up a new Facebook account and you want to use the double blind password strategy with 1Password.
Here’s how you would do that.
First, with 1Password already installed on my computer, when you reach the entry to create a password, choose the one that 1Password suggests.
Once you’ve selected “Use Suggested Password”, you’ll be prompted to save that in your 1Password Vault.
Select “Save”.
Now that 1Password has saved the suggested password, and before you click “Sign Up”, you will now add your unique identifier. This could be a word, a set of numbers or anything else you want.
I suggest a 4-8 character combination of numbers and letters. Your unique key must be something you can easily remember!
Once you click “Sign up”, Facebook will save your new password that includes both the strong string of characters that 1Password suggested along with your unique key.
1Password doesn’t store your real password.
Once you’ve done this, however, how would you go about using this password?
Real-Life Use Case Tutorial – Facebook
In keeping with the Facebook example, let say you now want to login to your new account using the double blind password strategy.
When you reach the Facebook login page, the 1Password browser extension will automatically show you the available logins that are in your vault. Choose the appropriate login.
Once 1Password has filled in the password for you, click on the hidden password and type in your unique key that you set above.
If done correctly, you will automatically be logged in to your Facebook account.
There’s only one problem that sometimes arises that I want to address below.
Important Password Setting to Change
Once you set up a double blind password with your password manager app, you might notice one annoying problem:
The password manager will continually try to ask you to save this “new” password”.
Thankfully, there is a workaround here. This works for 1Password, although not every password manager app offers this functionality (i.e. Dashlane doesn’t).
If you go into the 1Password settings and click on the “Browsers” tab, you’ll find the password autosave setting.
This setting default is on, which is what you probably want, but in this case we don’t want the password manager to keep asking us about our double blind password.
So you can make exceptions for certain domains. In this case, I’ve put in “facebook.com” so that anytime I’m logging into Facebook using my unique key, the software doesn’t ask me to save this new password.
Boom!
That’s the simple fix. 🙂
You Shouldn’t Know Your Password…
…and neither should your password manager app.
This is the power of the double blind password strategy. The sad reality of our online world today is that a memorable password is also a weak password.
If you can recall all your online login passwords from memory, you either have a photographic memory or your passwords suck.
Similarly, if a hack into your password manager app file would ruin you, the risk is too great.
A double-blind password gives you the ability to create secure passwords using a password manager app like 1Password while keeping the true password secret.
It’s only a strategy, but it’s one you should definitely consider using.
Interesting! THanks for the tip! It makes sense to use this strategy for email, banking, etc. Thanks!
I’m glad you found it useful, Rachel!
What a great and reassuring idea!
Thanks, Jim
Thanks, Jim! I’m glad you found it useful 🙂
The double-blind password strategy is brilliant.
Some Anti-Virus Software has a Password Manager included in the paid-for package. How good is this, compared to a stand-alone Password Manager? Is it easier to have it all in one package?
Thanks, Peter! I hope you find good use with this strategy.
As with any software, some offer a better set of features than others. That said, you should be fine with the password manager that comes with your antivirus software package. It may not have all the bells and whistles that you’ll find with a standalone like 1Password or Dashlane, but it still gets the job done.
Dear Josh, do you think it’s enough secure to use the Chrome native password manager when combined with double-blind passwords? THANKS!
Depends on how you define “enough”, honestly. Yes, it’s definitely the next level of security above the Chrome native password manager, and for most people, that should be more than enough. 🙂
Should you also use 2 factor verification as well as double blind passwors? I do not have a password manager yet but feel I should!
Each of these are just added layers of protection. Having 2FA is great, but having 2FA and strong passwords is slightly better.
This sounds great, but wondering if you are getting up there in age and are mainly getting a password manager to make life easier for your estates chosen pOwer of attOrney, execuTOr, children etc. ? How does this affect them as my ChOsen emergency contacts and being able to access my accounts if something catastrophic happens? Thxs!
Great point, Melissa! This is an excellent way to make life easier for end of life scenarios. Make sure that your will contains the information to your password manager or it’s locked away somewhere else or given to one of your children. Either way, it will give them immediate access to all of your accounts without having to create a long document.
What happens when I’m at a friend’s house and want/need to get into my bank (or facebook account)? How will a password manager/double-blind password help is I’m away from my own computer and have to input a password at someone else’s system (or even a public system)?
If you have your phone, you can pull up the password from your password manager app there (and then add your unique double-blind code).
It’s not convenient, but I would argue that you probably shouldn’t be logging in to your bank account on a public or even a friends’ computer. You should only be doing that on your own device.
Wow. This is a great idea. I am looking at using 1Password and saw the link to explain double-blind. Thank you for sharing these great ideas. Ann 🙂
My pleasure, Ann! I’m glad you found it useful.
Great Idea Josh!
The only thing is how do you stop the password manager from suggesting to update the concatenated PWD?
Many Thanks,
Hichem
There are settings where you can turn off the autosave feature or, if you’d rather, you can turn off autosave for specific URLs (if you still like the update feature for other reasons). I hope that helps, Michem!
If you switch devices, example get a new pHONE, how do you take the passwords with you?
Thank you!
Using a password manager app like 1Password, you can easily download the app on the new phone, sign in and download your encrypted vault. It will require you to put in your Master Password and confirm with 2FA if you hopefully set that up, but other than that you’re good to go! It’s not hard at all.
Thank you for the great strategy.
Have one question though.
What if you need to update all your passwords and want to use the update all feature? Will you have to NOT use that since you won’t be able to add your unique ID at the end?
Most banks and investment accounts (i.e. your sensitive accounts) won’t work with the automatic password update feature on any password manager app. You’ll have to manually go in to change the password, at which point you can still set up a double-blind password.
JOSH,
very helpful information. However until covid hit i use to travel a lot.
What about password protection when travelling overseas? I’ve avoided using 2F identification because sometimes I can’t even receive a text with a one time code. I also always try to use a VPN but this also doesn’t work in some countries. Will 1password and the Double Blind trick you mention work everywhere around the world?
Great questions, Brent. My first response related to 2FA is that you probably shouldn’t use text message 2FA. I recommend either an authenticator app or a security key like Titan or Yubikey. Those work wherever you are and aren’t depending on a phone number.
Second, a VPN should work in all countries, although there are places such as China and the Middle East where they actively block VPNs. Still, if you’re willing to patiently try different protocols and servers, it will eventually connect.
And finally, yes, both password manager apps and the double blind password strategy will work in whatever country you go to. It is not dependent on location in any way.
Wow a really useful article. Interesting too. Keep it up and looking forward to many such.
Thanks so much, Vidhan.
Josh, great idea, but I don’t understand point #3 above: “Even a malicious keystroke logger (that hackers might use) won’t be able to detect the password.”
Why not? If they’re logging my keystrokes, wouldn’t they log both the password manager’s part and my part of the password?
Yes, this is true, but you’re assuming they also have access to your password manager vault, which in itself is quite difficult. There are also other methods to add these extra keystrokes that don’t require using the keyboard.
Hi Josh,
I really liked the idea. However, IF a HACKER got my passwords FROM the password MANAGER can’t he just use BRUTE force strategies to guess and add my additional “double-blind” part? Especially if it’s 4 characters long.
Thanks
Sure. There is no such thing as 100% un-hackable security. However, considering the effort a hacker would have to take to get into your password manager, to then have to brute force guess…he/she is probably going to look for easier targets.
The point of these strategies is to make you as unattractive of a target as possible.
hey Josh, appreciate the great security advice ! my question is, with the double blind method do you use the same double blind pw for all your accounts ? that also sounds more risky then having alternative double blind pws for your most important accounts, but is obviously harder to remeber them all.
love your idea as it adds another layer of security. I’ve been ‘password manager’ user for a long time and while in the beginning i wasn’t keeping there my most important passwords, after some time I gave up and started using for all. I ‘love’ how people are trying to make idea look bad. if you set up password manager properly with 2fa and strong password, plus you do ‘double blind’ strategy for most important things, i am sure that you are pretty safe. if nothing safe as much as you can be in online world. hackers who are able to get into your wallet with all steps above and figure out your passwords, they will not waste their time on you. They are so capable that they will go after bigger players, not my petty cash i have.
Thanks, Mike. Glad you found it useful!
‘brute force’ what? you cannot ‘brute force’ something that doesn’t exist. they could get your original password (even that it would take forever) but after that they cannot do anything. you could also make this ‘dobule blind’ more challenging like add at the beginning, or after first character, or after third.. But even just adding at the end I’m sure you are pretty safe. they would need to that you are using ‘dobule blind’ strategy, then try to login and after few tries would be locked. So, this is pretty safe strategy. Thanks josh
if i have a password manager in my virus protection APP do i need to discontinue that for 1password to be fully effective. the password manager in my anti virus app works for only some logins but not others. Does 1 password work for all logins?
Thanks