Why I Ditched My DIY Password System for NordPass
For years I told people not to use password managers. My reasoning was the classic skeptic's objection: why put every credential in one place? What happens when that service gets breached? I was convinced that my own system was clever by comparison — a password-protected Excel workbook living on a dedicated USB flash drive, with an AirTag connected to it so I could always find it.
I was wrong on almost every count.
The Problem With "Security Through Obscurity"
The term for what I was doing has a name in security circles: security through obscurity. The idea that a system is safe because it's unusual or hidden, rather than because it's actually secure. My Excel file was protected by a single password. If that drive was ever lost or stolen and someone got past the file password, every credential I had was sitting in plaintext cells. There was no encryption at the vault level. There was no breach monitoring. There was no way to access anything from my phone without the physical drive. And there was absolutely no way to generate or evaluate the strength of my passwords without doing it manually.
The Verizon 2025 Data Breach Investigations Report drives the point home with data: stolen credentials were the most common initial access vector in confirmed breaches last year, appearing in 22% of incidents. Credential abuse powered 88% of basic web application attacks. Most people whose credentials are stolen have no idea it happened until the damage is done. My spreadsheet had no mechanism for knowing whether any of my accounts had been exposed in a third-party breach. I was flying blind.
The "all eggs in one basket" objection I used to make is real, but it's also the wrong frame. The actual question is whether a properly designed password manager's basket is more secure than whatever you're doing now. For most people, including me, the answer is yes.
Why I Landed on NordPass
I'd been using NordVPN for a while and trusted the company's approach to security infrastructure, so NordPass was a natural starting point. After testing it, I stayed.
The encryption model is the part that addressed my original concern most directly. Per NordPass's published security documentation, the product uses XChaCha20 encryption with zero-knowledge architecture: your vault is encrypted locally on your device before anything is transmitted to their servers. NordPass employees cannot read your vault contents. If Nord's servers were breached, attackers would get encrypted data they cannot decrypt without your master password, which Nord never receives or stores. That's a meaningfully different security posture from an Excel file.
Zero-knowledge also means the "one basket" is a basket only you can open. That's not a marketing claim — it's a structural property of how the encryption is designed.
A few other things that changed how I work:
When I imported my old spreadsheet, the password health report immediately flagged accounts where I was reusing passwords and others where the passwords were weak. Seeing it listed out plainly was an uncomfortable but useful moment. Reused passwords are one of the primary ways credential stuffing attacks work — an attacker takes a leaked password from one breach and tries it across hundreds of other sites automatically. Unique passwords for every account are the actual fix, and a password manager is the only realistic way to maintain them at scale.
The breach scanner checks your stored credentials against known data breach databases continuously. My spreadsheet did not do that.
Cross-device sync means the vault follows me between my desktop, phone, and tablet without any physical hardware. That sounds basic, but removing the friction from the daily login process is what actually makes people use strong unique passwords instead of reusing convenient ones.
For clients asking where to start with credential security, this is consistently what our support services recommend as the most accessible first step — ahead of more complex controls.
A Straight Disclosure
I want to be clear about the referral link below. I do not receive a cash commission from Nord. However, if you use my referral link to sign up, Nord gives me additional months on my own subscription as a thank-you. That is a material benefit, and you should know about it before deciding how much weight to give this post. The recommendation is genuine — I use this product daily — but the referral relationship exists and I'm not going to obscure it.
If you want to try NordPass or NordVPN: My referral link
If you'd rather evaluate options independently, Bitwarden is a well-regarded open-source alternative worth looking at.
What About Other Password Managers?
NordPass is not the only credible option. Bitwarden is open-source and free for individuals, which matters to people who want to audit the code themselves. 1Password has a strong reputation in business environments. Apple's built-in Passwords app works well if you're all-in on the Apple ecosystem. The specific product matters less than the decision to stop managing credentials manually. Any of these is a significant upgrade from a spreadsheet.
The business case for getting this right is also relevant for small business owners. If even one employee is reusing a weak password across a business account and a personal account, and that personal account shows up in a breach, your business has exposure. Getting a team onto a shared password manager with enforced unique credentials is one of the lowest-cost, highest-impact security steps available. It's something a vCIO engagement typically addresses in the first month.
Frequently Asked Questions (FAQ)
Q: What happens if I forget my master password?
A: This is the most important thing to understand before setting up any zero-knowledge password manager. Because NordPass does not store your master password, they cannot recover it for you. If you lose it and haven't set up an account recovery method, access to your vault is gone. Set a recovery key during setup and store it somewhere physically secure — a locked drawer or a small fireproof box. This is not paranoia; it's the correct procedure.
Q: Is it actually safe to store all my passwords in one place in the cloud?
A: The "one basket" concern is reasonable, but the security model of a properly designed password manager addresses it directly. With zero-knowledge architecture, the cloud-stored data is encrypted with a key that never leaves your device. What's stored on the server is unreadable without your master password. Compared to a local spreadsheet protected only by a file password, or passwords reused across multiple sites, a zero-knowledge password manager is a security upgrade, not a downgrade.
Q: What should I do first when setting up a password manager?
A: Import or manually enter your existing credentials, then run the password health report. Fix the reused passwords first — those represent the largest immediate risk. Enable two-factor authentication on the password manager itself as a second layer. Then work through weak passwords systematically, starting with financial accounts, email, and anything with access to your business systems.
Q: Does NordPass work across Apple and Windows devices?
A: Yes. NordPass supports Windows, macOS, iOS, Android, and major browsers including Chrome, Firefox, Edge, and Safari. If you're running a mixed environment — which many small businesses in Springfield and Central Illinois do — that cross-platform support matters.
Q: Is this something I need for my business, or just personally?
A: Both. At the personal level, a password manager protects your own accounts. At the business level, credential reuse by any employee is a potential entry point into your systems. A shared business password manager with team vaults adds a layer of control over who has access to what, and ensures that when an employee leaves, their access can be revoked cleanly. Most small businesses don't have this in place, and most don't realize how much exposure that creates.
SUMMARY
The most dangerous security system is the one you're confident in but shouldn't be. Getting off manual credential management — whatever form that takes for you — is one of the most practical steps available.
If you want help rolling out a password manager for your team or building out a broader credential security policy, our support services cover exactly that.
Reach out at thetechgents.com/contact and we'll figure out what makes sense for your setup.