When talking about password managers, the discussion often focuses on encryption algorithms, key length, or “zero-knowledge.”
Much less often, a more important question is asked:
Who am I trying to protect myself from?
Without a clear threat model, comparing different solutions becomes meaningless.
What is a threat model
A threat model is not a list of features.
It is an explicit description of:
which attacks are meant to be prevented
which ones are accepted as out of scope
which assumptions are made about the environment
Every password manager, consciously or not, makes these choices.
The cloud-first model
Cloud-based password managers introduce a model built around:
remote synchronization
an always-on backend
user accounts
centralized infrastructure
This approach protects well against:
device loss
multi-device access requirements
user mistakes (automatic backups)
But it also introduces new attack surfaces:
provider compromise
backend bugs
server misconfiguration
third-party dependencies
metadata exposure
Even with strong encryption, the risk model changes the moment data exists online.
The offline-first model
An offline password manager completely eliminates:
remote servers
automatic synchronization
recovery accounts
backend APIs
The result is a simpler model:
the vault exists only locally
security depends on the device
the master password is the only critical secret
This approach protects very well against:
remote attacks
provider breaches
third-party compromises
online metadata exposure
But it requires the user to take on:
greater responsibility
conscious backup management
operating system protection
No model is “better” in absolute terms
Cloud ≠ insecure
Offline ≠ invulnerable
They are different models, suited to different threats.
Problems arise when:
total security is promised
assumptions are hidden
convenience is confused with protection
The OneCritto choice
OneCritto deliberately adopts an offline and zero-knowledge model.
This means:
no servers
no accounts
no forced synchronization
no remote recovery
Security is not delegated to a provider, but remains under the direct control of the user.
It is a choice that reduces the attack surface, but requires awareness.
Security as responsibility, not as a service
A system that promises to “always save the user” inevitably introduces bypass mechanisms.
A system that removes those bypasses demands more attention, but offers a more predictable model.
OneCritto does not try to cover every possible scenario.
It aims to be clear about what it protects—and what it does not.
Conclusion
The right question is not:
“Which password manager is the most secure?”
But:
“Which threat model is consistent with my real risk?”
Security is not a checklist.
It is an architectural choice.
Originally published on onecritto.ghost.io
Top comments (0)