Every year we read the same thing: the number one cause of compromised accounts continues to be password reuse. Not a sophisticated attack, not a zero-day on your infrastructure — the same password you used in that online store in 2018 that leaked its database.
And yes, you know it. But the reality is that remembering 80 unique and strong passwords is impossible. That's why a password manager stopped being something for paranoids and became basic hygiene, like antivirus in the 2000s.
1. The real problem: reuse + massive leaks
Every month there are new leaks of databases with millions of email + password combinations. These dumps end up in lists that attackers test on other services. If you reuse, ONE leak is enough for them to lose access to everything: email, Netflix, banking, etc.
Pages like Have I Been Pwned confirm that the average email appears in three or four leaks. The question is not if it will touch you; The question is whether you will have unique passwords on the day it comes.
2. Why an encrypted Excel, a note, or the browser is not enough
"I have it in a spreadsheet with a password." Okay, but:
- The native Excel/Sheets encryption is weak. There are tools that break it in minutes if your master password is not very strong.
- You don't have auto-fill. You end up copying and pasting, which sometimes leaves the password on the clipboard where another app can read it.
- You don't have auditing. How many of your passwords are weak? How many are repeated? How many have been leaked? A modern manager tells you.
- The browser manager is better than nothing, but it assumes that you only access from that browser and that your session is secure. If your PC is compromised, the browser is one of the first places malware looks.
3. What a decent password manager should have
Not all managers are the same. The minimum bar you should require is:
- End-to-end encryption. The provider's server should NEVER be able to read your passwords — only you with your master password.
- Modern algorithms. AES-256-GCM or ChaCha20-Poly1305 for data, Argon2id to derive the key from the master password (not PBKDF2 old).
- Robust password generator. Customizable (length, symbols, pronounceable phrases...).
- Health audit: repeated, weak, exposed in leaks (via partial hashes — the service never sees your real password).
- 2FA / TOTP integrated or, better, external. Some managers put the TOTP codes in the same vault, others separate (more secure).
- Secure sharing. For teams, be able to share credentials without sending them in Slack or email.
4. Medel Vault: our proposal
Medel Vault is our password management app, built with two clear premises: end-to-end encryption and zero trust in the server. What this means in practice:
- Your master password never leaves your device. From it we derive (with Argon2id) the key that encrypts your vault locally.
- What is uploaded to our servers is an encrypted blob. Even if someone compromised our database, the attacker would have to break AES-256 — sit tight.
- Generator, health audit, TOTP, team sharing and autocomplete in browser.
- Native mobile app with biometric unlocking, synchronization with your account in seconds.
5. Migrating is easy
If you come from another manager (LastPass, 1Password, KeePass, Bitwarden, the browser...), Medel Vault imports the standard CSVs. In less than 5 minutes you have your entire vault migrated, organized by folders/tags.
6. The most common objection: "what if I lose my master password?"
It's a legitimate question. The honest answer: no one can recover it for you, not even us (if we could, end-to-end encryption would mean nothing). What Medel Vault does is:
- Force a recovery kit upon registration — a 24-character key that you keep on paper/box.
- Allow emergency contacts with delayed access (your spouse accesses 48 hours after requesting access, giving you time to cancel if it wasn't you).
Lockdown
Passwords don't work to disappear in the next 10 years, no matter how much there is talk about passkeys. Meanwhile, the question is not "do I need a manager," but rather "which one is the least bad." If you want one that doesn't ask you to trust its server, take a look at Medel Vault or write to us if you have technical questions — we respond within hours.
