OPSEC52 / Week 7 — The password manager as compartmentalization
Every compartment you’ve built so far — separate emails, separate phones, separate browser profiles — shares one silent seam that can staple them all back together — a reused password. You can run flawless identity hygiene for months, then log into two pseudonymous accounts with the same string and hand an adversary the join key for free. Password reuse isn’t a strength problem; it’s a linkage problem. A password manager fixes both at once, and it’s the one OPSEC habit you’ll actually keep.
Threat model: credential-stuffing attacks that replay leaked username/password pairs across every site you own; password reuse that cryptographically links otherwise-separate pseudonymous accounts the moment one database leaks; SMS and email 2FA that tie an “anonymous” account back to a phone number or recovery identity; security-question answers that quietly encode your real biography; and browser-saved passwords silently syncing to a real-name Google or Apple account.
Reuse is a linkage attack, not just a strength problem
Most password advice is about strength — length, entropy, “don’t use password123.” That framing misses the OPSEC point. For someone building compartments, the danger isn’t that a weak password gets cracked; it’s that a reused one gets correlated.
Breach dumps are a commodity. Billions of email:password pairs from years of leaks are searchable, aggregated, and cross-indexed. When your Week-3 alias and your real-name account both appear in dumps sharing the same password, that shared string is a probabilistic fingerprint — often a unique one. You didn’t leak your identity; you leaked a join key, and someone else ran the query. Every wall you built between identities has a door in it, and the door is that one password you liked enough to type twice.
The fix is mechanical and total: a unique, high-entropy password for every account, generated and stored so you never see or remember them. That’s the entire job of a password manager. Strength is a free side effect; the real win is that nothing links to anything.
Pick a manager that doesn’t leak by design
- KeePassXC — offline, local, open-source. Your vault is a single encrypted
.kdbxfile you control and back up yourself. No cloud account, no company to subpoena, no sync telemetry. The default choice when the threat model is serious. - Bitwarden / Vaultwarden — open-source with sync. Use the self-hosted Vaultwarden server if you want cross-device sync without trusting a third party; the vault is end-to-end encrypted regardless. Reasonable when convenience is losing you to bad habits.
- Avoid the browser’s built-in manager when it syncs to a real-name account. Chrome→Google and Safari→Apple quietly push every saved credential into an identity you’re trying to keep separate. If you use browser autofill, point it at a KeePassXC/Bitwarden extension, not the OS account.
There’s no “best” — there’s the one you’ll open every day. A local .kdbx you actually use beats a perfect self-hosted setup you abandon.
2FA: stop letting the second factor re-identify you
Two-factor auth is good; the type matters for anonymity:
- SMS 2FA is an identity leak. It binds the account to a phone number, and phone numbers are KYC’d back to you (see Week 4). Avoid it on any pseudonymous account; if a service forces it, that service knows who you are.
- TOTP (authenticator codes) is the baseline — store the seeds in your password manager or a dedicated TOTP app. KeePassXC generates TOTP natively, so the second factor lives in the same encrypted vault.
- Hardware keys (FIDO2/WebAuthn) are the strongest and phishing-proof; a cheap key per identity tier is worth it for accounts that matter.
The principle: your second factor should prove possession, not identity. SMS proves identity. Skip it.
Security questions are a biography — so lie
“Mother’s maiden name,” “first pet,” “city you were born in” — these are a soft identity dump wearing a recovery costume, and they’re often the weakest link into an account. Never answer them truthfully. Generate a second random string for each answer and store it in the vault next to the password. To the service it’s an answer; to an adversary building your profile, it’s noise.
Vault hygiene — the master passphrase is now your whole identity
Consolidating into one vault raises the stakes on one secret. Protect it accordingly:
- Master passphrase = diceware, 6+ words, memorized, never stored digitally. This is the one password you keep in your head.
- Back up the vault offline — an encrypted copy on a USB drive in a drawer beats a vault that lives only on a laptop that can die or be seized.
- Never sync the raw file through a real-name cloud. If you sync, sync the already-encrypted
.kdbx, and prefer your own server. - Compartmentalize the vault itself. Keep a separate vault (separate file, separate master passphrase) for your anonymous tier. If your day-to-day vault is ever opened under duress or on a compromised machine, the pseudonymous credentials aren’t in it.
That last point is the whole series in one habit: the password manager isn’t just a strength tool, it’s a compartment. One vault per identity tier means a breach of one life doesn’t unlock the others.
This week’s drills
- Install KeePassXC (or stand up Vaultwarden) and create your first vault with a 6-word diceware master passphrase.
- Run your main email through Have I Been Pwned — every hit is an account whose password you must now rotate to a unique one.
- Replace SMS 2FA with TOTP (or a hardware key) on every account that allows it; flag any service that forces SMS as identity-linked.
- Change all security-question answers to random strings stored in the vault — stop broadcasting your biography.
- Create a separate vault for your anonymous-tier accounts, with its own master passphrase, and move those credentials out of your everyday vault.
Next week we follow the money: the financial deanon layer, where card metadata, KYC chains, and on-chain heuristics quietly reattach a name to everything you just compartmentalized. Until then: generate, never reuse, and let the vault remember so your adversary can’t correlate.
Curated by Cyber Satoshi