What are the possible threat models when it comes to saving all credentials (passwords, TOTP and passkeys) into a single .kdbx database? This is assuming that: The master password is very strong. The .kdbx file is never exposed to the internet (always kept offline). Only two devices have access to…

[image] SomeRandomPrivacyUser: I’m not too worry about (1) as I always keep the database offline and share it between iPhone and Linux through USB cable. Off-topic but if these are your only 2 copies I strongly suggest creating a third backup on a flash drive stored somewhere away from your h…

[image] SomeRandomPrivacyUser: Also, what other thread models am I missing here? This one: [image] linux setups with comparable _security_ to macbooks? hear me out... person_raising_handQuestions There are many other relevant topics available on the Qub…

The point of your password manager is to allow you to use all your passwords while remembering one master password. If it’s encrypted (it is) and synced offline via USB then someone mostly needs full access to your device before it’s a problem (getting either both the file and ability to decrypt or …

[image] TheDoc: Off-topic but if these are your only 2 copies I strongly suggest creating a third backup on a flash drive stored somewhere away from your home. Thanks for the heads up, I’ll for sure do that. [image] TheDoc: If instead you stored your passkeys on actual hardware (smartpho…

[image] SomeRandomPrivacyUser: That’s if I store the passkeys on devices separate from my iPhone (like a YubiKey) but if my passkeys are stored in Apple’s password manager on my phone then malware can get the secret, couldn’t it? Passkeys can be stored in a secure element so it should be well…

[image] TheDoc: I believe Apple now defaults to storing passkeys in their password manager to provide better portability but you might still have the option to store it on hardware instead. I just tested trying to save a passkey offline on my iPhone. It forces me to either (a) use another dev…

Privacy Guides Community

Threat models for storing passwords, TOTP and passkeys in a single password manager?

Questions

FranklyFlawless (Frank Lý) May 9, 2026, 11:51am 2

This one:

Topic		Replies	Views
Those of you using hardware security keys (e.g. yubikey) , which accounts (or if that is too personal, how many accounts) do you use them for? Questions	16	1577	December 18, 2023
Storing TOTPs in a Password Manager Questions	1	437	August 24, 2023
Should I use my password manager for storing TOTP codes? Questions	24	6727	January 13, 2024
How to approach passkeys / Should I replace my TOTPs with passkey? Questions	4	797	August 4, 2025
How do MFA methods compare? Questions please-eli5	7	345	March 5, 2026

Privacy Guides

Massive organizations are monitoring your online activities. Privacy Guides is your central privacy and security resource to protect yourself online.

Privacy Guides is a non-profit, socially motivated website that provides information for protecting your data security and privacy.

We do not make money from recommending certain products, and we do not use affiliate links.

Knowledge Base

Private Web Browsers

Top VPN Providers

Privacy-Respecting Services

Software Recommendations

More Resources

Threat models for storing passwords, TOTP and passkeys in a single password manager?

Related topics