Offline vs Cloud: the Real Threat Model in Password Managers

Fabio Marano — Sat, 14 Feb 2026 05:18:01 +0000

When talking about password managers, the discussion often focuses on encryption algorithms, key length, or “zero-knowledge.”
Much less often, a more important question is asked:

Who am I trying to protect myself from?

Without a clear threat model, comparing different solutions becomes meaningless.

What is a threat model

A threat model is not a list of features.
It is an explicit description of:

which attacks are meant to be prevented

which ones are accepted as out of scope

which assumptions are made about the environment

Every password manager, consciously or not, makes these choices.

The cloud-first model

Cloud-based password managers introduce a model built around:

remote synchronization

an always-on backend

user accounts

centralized infrastructure

This approach protects well against:

device loss

multi-device access requirements

user mistakes (automatic backups)

But it also introduces new attack surfaces:

provider compromise

backend bugs

server misconfiguration

third-party dependencies

metadata exposure

Even with strong encryption, the risk model changes the moment data exists online.

The offline-first model

An offline password manager completely eliminates:

remote servers

automatic synchronization

recovery accounts

backend APIs

The result is a simpler model:

the vault exists only locally

security depends on the device

the master password is the only critical secret

This approach protects very well against:

remote attacks

provider breaches

third-party compromises

online metadata exposure

But it requires the user to take on:

greater responsibility

conscious backup management

operating system protection

No model is “better” in absolute terms

Cloud ≠ insecure
Offline ≠ invulnerable

They are different models, suited to different threats.

Problems arise when:

total security is promised

assumptions are hidden

convenience is confused with protection

The OneCritto choice

OneCritto deliberately adopts an offline and zero-knowledge model.

This means:

no servers

no accounts

no forced synchronization

no remote recovery

Security is not delegated to a provider, but remains under the direct control of the user.

It is a choice that reduces the attack surface, but requires awareness.

Security as responsibility, not as a service

A system that promises to “always save the user” inevitably introduces bypass mechanisms.
A system that removes those bypasses demands more attention, but offers a more predictable model.

OneCritto does not try to cover every possible scenario.
It aims to be clear about what it protects—and what it does not.

Conclusion

The right question is not:
“Which password manager is the most secure?”

But:
“Which threat model is consistent with my real risk?”

Security is not a checklist.
It is an architectural choice.

Originally published on onecritto.ghost.io

DEV Community: Fabio Marano

Offline vs Cloud: the Real Threat Model in Password Managers