• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

All Things Secured

Online Security Made Simple

READY TO SECURE YOUR ONLINE PRESENCE? Start Here

  • Security Basics
    • Start Here (Security Guide)
    • What is a VPN?
    • What is 2-Factor Authentication?
    • What is SmartDNS?
  • VPN Security
    • Best VPNs 2021
    • VPN Reviews
      • ExpressVPN Review
      • Surfshark Review
      • NordVPN Review
      • VyprVPN Review
      • Mozilla VPN
      • IPVanish
      • Avast VPN
      • Ivacy VPN
      • PureVPN
    • Frequent Asked Questions
      • Are VPNs Illegal?
      • What is a VPN Kill Switch?
      • What is Split Tunneling?
      • Zero Log VPN?
      • Free VPN vs Paid VPN?
      • Lightway vs WireGuard vs OpenVPN
      • Increase Internet Speed on VPN?
      • How to Watch Netflix in China?
    • 10 Important VPN Features
    • Common VPN Myths
    • Common VPN Scams
    • VPN Connection Protocols Guide
  • Password Security
    • Best Password Managers 2021
      • 1Password Review
      • Dashlane Review
      • NordPass Review
      • Best iOS Password Manager
    • Frequently Asked Questions
      • How Do Password Managers Work?
      • Are Password Managers Safe?
      • Are Chrome Passwords Secure?
    • Double Blind Password Strategy
  • Security Tips
    • Bad Security Habits
    • Email Phishing Scams
    • Secure Email Providers
    • Using Google Authenticator
    • Have You Been Hacked?
    • Http vs Https?
  • Resources
    • Password Strength Checker
  • About
    • Contact
    • Advertise

What is a Double Blind Password? Password Manager Hack

July 20, 2020 By Josh Summers 29 Comments

Double blind password refers to a secure way to store passwords within a password manager app that keeps the real password hidden from both the app and the user. This method is a recommended solution for those who want the convenience of a password manager app without the potential risks of a security breach.

The following tutorial will explain exactly how to setup and use the double blind password method for your most sensitive online logins.

Double Blind password strategy password manager hack

In a world where news of a new breached database occurs every week, it seems risky to put all your password eggs in a single password manager app basket.

Hear me clearly here…

I still highly recommend you use a good password manager app to help you create strong passwords and store them securely.

But I also realize that many people are hesitant to take the step to secure their passwords because:

  • They don’t trust password manager apps. Despite the security measures of a password manager app, it’s understandable that you wouldn’t want to trust one company with passwords to all of your logins!
  • They think it’s just too complicated. It’s easier to just stay with your less-secure passwords than try to migrate to a new method that seems a bit risky anyway.

Do either of these sound familiar?

If so, you’re in the right place.

Using the double blind password strategy that you’re going to learn here, you’ll be able to take advantage of stronger passwords that are blind to both you and the password manager app.

Note: Some of the links in this article are affiliate links, which means that at no extra cost to you, I may be compensated if you choose to use one of the services listed. I only recommend what I personally use, though, and my desire is to help you improve your online security.

How a Double Blind Password Works

Before I go into a written explanation, I strongly encourage you to take 5 minutes to watch this video. In it, I explain exactly how a double-blind password works, using language and visuals that make it easy to understand.

Make sure to subscribe to the All Things Secured YouTube channel!

The premise of a double blind password strategy is that neither you nor the password manager app know the full password.

You’re creating a strong password that is stored using a password manager software and then you’re adding a unique identifier that only you know.

When done correctly, the password that is being stored in the password manager vault isn’t the actual password.

Without the extra key that is the unique identifier you added, the password being stored in the secure vault is useless.

The double blind password is the password manager password plus your unique key.

It’s a double blind password because you don’t know the first half of the password and the password manager software doesn’t know the second half.

This creates an incredibly secure password creation system where:

  1. The actual password is never stored anywhere;
  2. You’re still able to create strong, unique passwords for each online login;
  3. Even a malicious keystroke logger (that hackers might use) won’t be able to detect the password.

That’s how a double blind password works. Now, let’s get to the nuts and bolts of how to set it up and use it.

Go ahead. Forget your passwords. 1Password remembers them for you.

Double Blind Password Setup Tutorial

While the initial setup of this kind of password adds a few extra seconds to the process, I promise you it’s worth the effort.

I recognize that there are a number of great password managers on the market today. The one I use and recommend is 1Password, which is what you’ll see me use in this tutorial.

Setup Tutorial with 1Password

Let’s pretend that you’re setting up a new Facebook account and you want to use the double blind password strategy with 1Password.

Here’s how you would do that.

First, with 1Password already installed on my computer, when you reach the entry to create a password, choose the one that 1Password suggests.

1Password suggesting a password for Facebook

Once you’ve selected “Use Suggested Password”, you’ll be prompted to save that in your 1Password Vault.

Select “Save”.

Save the new Facebook Password with 1Password

Now that 1Password has saved the suggested password, and before you click “Sign Up”, you will now add your unique identifier. This could be a word, a set of numbers or anything else you want.

I suggest a 4-8 character combination of numbers and letters. Your unique key must be something you can easily remember!

Unique key added to the new password for the double blind password strategy

Once you click “Sign up”, Facebook will save your new password that includes both the strong string of characters that 1Password suggested along with your unique key.

1Password doesn’t store your real password.

Once you’ve done this, however, how would you go about using this password?

Real-Life Use Case Tutorial – Facebook

In keeping with the Facebook example, let say you now want to login to your new account using the double blind password strategy.

When you reach the Facebook login page, the 1Password browser extension will automatically show you the available logins that are in your vault. Choose the appropriate login.

1Password Facebook login example

Once 1Password has filled in the password for you, click on the hidden password and type in your unique key that you set above.

Add your unique key to the Facebook password

If done correctly, you will automatically be logged in to your Facebook account.

There’s only one problem that sometimes arises that I want to address below.

Secure yourself using ExpressVPN

Important Password Setting to Change

Once you set up a double blind password with your password manager app, you might notice one annoying problem:

The password manager will continually try to ask you to save this “new” password”.

Thankfully, there is a workaround here. This works for 1Password, although not every password manager app offers this functionality (i.e. Dashlane doesn’t).

If you go into the 1Password settings and click on the “Browsers” tab, you’ll find the password autosave setting.

1Password password save settings

This setting default is on, which is what you probably want, but in this case we don’t want the password manager to keep asking us about our double blind password.

So you can make exceptions for certain domains. In this case, I’ve put in “facebook.com” so that anytime I’m logging into Facebook using my unique key, the software doesn’t ask me to save this new password.

Boom!

That’s the simple fix. 🙂

You Shouldn’t Know Your Password…

…and neither should your password manager app.

This is the power of the double blind password strategy. The sad reality of our online world today is that a memorable password is also a weak password.

If you can recall all your online login passwords from memory, you either have a photographic memory or your passwords suck.

Similarly, if a hack into your password manager app file would ruin you, the risk is too great.

A double-blind password gives you the ability to create secure passwords using a password manager app like 1Password while keeping the true password secret.

It’s only a strategy, but it’s one you should definitely consider using.

Worth Reading:

  • What is a VPN, or virtual private network?
    What is a VPN? How it Works & Why Online Security Matters

Reader Interactions

Comments

  1. Avatar for JoshRachel says

    January 18, 2020 at 3:15 pm

    Interesting! THanks for the tip! It makes sense to use this strategy for email, banking, etc. Thanks!

    Reply
    • Avatar for JoshJosh Summers says

      January 20, 2020 at 1:24 am

      I’m glad you found it useful, Rachel!

      Reply
  2. Avatar for JoshJim says

    March 28, 2020 at 1:41 pm

    What a great and reassuring idea!
    Thanks, Jim

    Reply
    • Avatar for JoshJosh Summers says

      March 29, 2020 at 1:55 am

      Thanks, Jim! I’m glad you found it useful 🙂

      Reply
  3. Avatar for JoshPeter Garbutt says

    April 13, 2020 at 5:40 pm

    The double-blind password strategy is brilliant.
    Some Anti-Virus Software has a Password Manager included in the paid-for package. How good is this, compared to a stand-alone Password Manager? Is it easier to have it all in one package?

    Reply
    • Avatar for JoshJosh Summers says

      April 14, 2020 at 12:50 am

      Thanks, Peter! I hope you find good use with this strategy.

      As with any software, some offer a better set of features than others. That said, you should be fine with the password manager that comes with your antivirus software package. It may not have all the bells and whistles that you’ll find with a standalone like 1Password or Dashlane, but it still gets the job done.

      Reply
  4. Avatar for JoshJeanne says

    April 26, 2020 at 3:05 pm

    Should you also use 2 factor verification as well as double blind passwors? I do not have a password manager yet but feel I should!

    Reply
    • Avatar for JoshJosh Summers says

      April 26, 2020 at 8:50 pm

      Each of these are just added layers of protection. Having 2FA is great, but having 2FA and strong passwords is slightly better.

      Reply
  5. Avatar for JoshMelissa says

    May 31, 2020 at 6:23 pm

    This sounds great, but wondering if you are getting up there in age and are mainly getting a password manager to make life easier for your estates chosen pOwer of attOrney, execuTOr, children etc. ? How does this affect them as my ChOsen emergency contacts and being able to access my accounts if something catastrophic happens? Thxs!

    Reply
    • Avatar for JoshJosh Summers says

      May 31, 2020 at 8:54 pm

      Great point, Melissa! This is an excellent way to make life easier for end of life scenarios. Make sure that your will contains the information to your password manager or it’s locked away somewhere else or given to one of your children. Either way, it will give them immediate access to all of your accounts without having to create a long document.

      Reply
  6. Avatar for Joshpapo says

    June 2, 2020 at 11:01 am

    What happens when I’m at a friend’s house and want/need to get into my bank (or facebook account)? How will a password manager/double-blind password help is I’m away from my own computer and have to input a password at someone else’s system (or even a public system)?

    Reply
    • Avatar for JoshJosh Summers says

      June 3, 2020 at 12:12 am

      If you have your phone, you can pull up the password from your password manager app there (and then add your unique double-blind code).

      It’s not convenient, but I would argue that you probably shouldn’t be logging in to your bank account on a public or even a friends’ computer. You should only be doing that on your own device.

      Reply
  7. Avatar for JoshAnn says

    June 2, 2020 at 2:44 pm

    Wow. This is a great idea. I am looking at using 1Password and saw the link to explain double-blind. Thank you for sharing these great ideas. Ann 🙂

    Reply
    • Avatar for JoshJosh Summers says

      June 3, 2020 at 12:11 am

      My pleasure, Ann! I’m glad you found it useful.

      Reply
  8. Avatar for JoshHichem says

    June 3, 2020 at 6:41 am

    Great Idea Josh!
    The only thing is how do you stop the password manager from suggesting to update the concatenated PWD?
    Many Thanks,
    Hichem

    Reply
    • Avatar for JoshJosh Summers says

      June 3, 2020 at 9:10 pm

      There are settings where you can turn off the autosave feature or, if you’d rather, you can turn off autosave for specific URLs (if you still like the update feature for other reasons). I hope that helps, Michem!

      Reply
      • Avatar for JoshVeronica Dau says

        July 9, 2020 at 9:12 pm

        If you switch devices, example get a new pHONE, how do you take the passwords with you?
        Thank you!

        Reply
        • Avatar for JoshJosh Summers says

          July 9, 2020 at 10:25 pm

          Using a password manager app like 1Password, you can easily download the app on the new phone, sign in and download your encrypted vault. It will require you to put in your Master Password and confirm with 2FA if you hopefully set that up, but other than that you’re good to go! It’s not hard at all.

          Reply
  9. Avatar for JoshRick says

    June 16, 2020 at 4:05 am

    Thank you for the great strategy.
    Have one question though.
    What if you need to update all your passwords and want to use the update all feature? Will you have to NOT use that since you won’t be able to add your unique ID at the end?

    Reply
    • Avatar for JoshJosh Summers says

      June 17, 2020 at 11:52 pm

      Most banks and investment accounts (i.e. your sensitive accounts) won’t work with the automatic password update feature on any password manager app. You’ll have to manually go in to change the password, at which point you can still set up a double-blind password.

      Reply
  10. Avatar for JoshBrent Burkholder says

    July 4, 2020 at 7:10 pm

    JOSH,
    very helpful information. However until covid hit i use to travel a lot.
    What about password protection when travelling overseas? I’ve avoided using 2F identification because sometimes I can’t even receive a text with a one time code. I also always try to use a VPN but this also doesn’t work in some countries. Will 1password and the Double Blind trick you mention work everywhere around the world?

    Reply
    • Avatar for JoshJosh Summers says

      July 8, 2020 at 2:03 am

      Great questions, Brent. My first response related to 2FA is that you probably shouldn’t use text message 2FA. I recommend either an authenticator app or a security key like Titan or Yubikey. Those work wherever you are and aren’t depending on a phone number.

      Second, a VPN should work in all countries, although there are places such as China and the Middle East where they actively block VPNs. Still, if you’re willing to patiently try different protocols and servers, it will eventually connect.

      And finally, yes, both password manager apps and the double blind password strategy will work in whatever country you go to. It is not dependent on location in any way.

      Reply
  11. Avatar for JoshVidhan says

    October 25, 2020 at 7:58 am

    Wow a really useful article. Interesting too. Keep it up and looking forward to many such.

    Reply
    • Avatar for JoshJosh Summers says

      October 25, 2020 at 8:16 pm

      Thanks so much, Vidhan.

      Reply
  12. Avatar for JoshYoav says

    December 26, 2020 at 4:29 pm

    Josh, great idea, but I don’t understand point #3 above: “Even a malicious keystroke logger (that hackers might use) won’t be able to detect the password.”
    Why not? If they’re logging my keystrokes, wouldn’t they log both the password manager’s part and my part of the password?

    Reply
    • Avatar for JoshJosh Summers says

      December 28, 2020 at 3:09 am

      Yes, this is true, but you’re assuming they also have access to your password manager vault, which in itself is quite difficult. There are also other methods to add these extra keystrokes that don’t require using the keyboard.

      Reply
  13. Avatar for JoshOded says

    January 8, 2021 at 3:37 pm

    Hi Josh,
    I really liked the idea. However, IF a HACKER got my passwords FROM the password MANAGER can’t he just use BRUTE force strategies to guess and add my additional “double-blind” part? Especially if it’s 4 characters long.
    Thanks

    Reply
    • Avatar for JoshJosh Summers says

      January 9, 2021 at 9:36 am

      Sure. There is no such thing as 100% un-hackable security. However, considering the effort a hacker would have to take to get into your password manager, to then have to brute force guess…he/she is probably going to look for easier targets.

      The point of these strategies is to make you as unattractive of a target as possible.

      Reply
  14. Avatar for JoshJayR says

    January 13, 2021 at 2:50 am

    hey Josh, appreciate the great security advice ! my question is, with the double blind method do you use the same double blind pw for all your accounts ? that also sounds more risky then having alternative double blind pws for your most important accounts, but is obviously harder to remeber them all.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Check your password with this password checker by All Things Secured

Recommended VPNs

Surfshark Logo Mark Surfshark VPN (Best Value)
ExpressVPN Logo Mark ExpressVPN (Best Overall)
NordVPN logo mark NordVPN (Best Design)
IPVanish Logo mark IPVanish (Best for USA)

Recommended Password Managers

1Password Logo Mark 1Password (Best for Individuals)
Dashlane Logo Mark Dashlane (Best for Businesses)
Bitwarden Logo Mark Bitwarden (Best Free Option)

Best Secure Email Providers

ProtonMail Logo Mark ProtonMail (Best Gmail Alternative)
Hushamil Logo Mark HushMail (HIPAA Compliant Email)
Tutanota Logo Mark Tutanota (Best Limited Free Option)

Best Identity Theft Protection

IdentityForce recommended credit monitoring service IdentityForce (Recommended Service)
LifeLock Logo Mark LifeLock (Extra Norton Protection)

© 2021 All Things Secured
 · Affiliate Disclaimer 
· Privacy Policy
 · Advertise
 · Contact