You Have to Trust Something
Security is about vetted and examined trust. In a security operations center, the work is about vetting and examining apps, devices, and traffic. But cybersecurity isn’t just about machines doing what we trust them to do, it’s also about people. Lots of security professionals see people as the weak link in the security chain, and without the proper awareness and tools, they’re right. People are a security problem.
But I’m serious about security, and I don’t want to see people as problems to be dealt with and mitigated.
I want to talk about security the way I’d talk about it with my friends, my family, my coworkers. And that starts here: you already have a password manager. It’s probably your browser. That was a trust decision. Do you know why you made it?
Trust No One? Not a Real Option.
The “trust no one” instinct is legitimate. On the internet especially, it’s earned. The history is long: breaches, platforms that changed their terms midgame, companies that promised security and didn’t deliver it, data sold that was never supposed to be sold. That skepticism has a real foundation and I respect it.
But trust no one still leaves you trusting something. Your brain. A Post-it. A spreadsheet. Your browser. Those are all trust decisions with their own failure modes. Zero trust is a term that means something very specific in security architecture and something much vaguer in the way most people use it. At the human level, you cannot opt out of trust.
The real question is whether your trust is examined or unexamined. Deliberate or inherited. Chosen or just convenient.
What Examined Trust Actually Looks Like
I’ve been thinking about trust and technology since I first started using computers. What’s changed isn’t the instinct. It’s the vocabulary and the tools to act on it deliberately.
When I evaluate whether to trust a tool with my credentials, I’m asking a few specific things:
Can I see how it works? Open source means the code is inspectable. Someone other than the company can verify the claims.
Has someone independent checked it? Audits mean a third party looked at the architecture and the implementation. Not perfect, but meaningful.
Can the company read my data? Zero-knowledge architecture means even the service provider can’t access your vault. The encryption happens on your device. What they store, they can’t read.
Can I leave if I need to? An exit path means I’m not permanently locked in. If the company gets acquired, changes its terms, or has a serious breach, I can get my data out.
I don’t check all four boxes for every tool I use. But I know which boxes I’m leaving unchecked, and I know why I’m accepting that.
My Journey, Honestly
I’ve used a lot of tools over the years. Browser password managers. Third party managers. I’ve watched platforms change their terms in ways that made me re-evaluate the trust I’d extended to them. I’ve seen breaches that made the cost of misplaced trust concrete and real.
I’ve also faced situations where the approved tools didn’t solve the problem I actually had, and I had to innovate. What I learned is that the instinct to find a workaround isn’t the problem. It’s a symptom. When people aren’t given tools they can trust and understand, they build their own solutions. And those solutions don’t always hold up under scrutiny.
I’ve known people who turned to a third party password manager as their own shadow IT decision. I understood why. They were solving a real problem. What happens when a browser becomes shadow IT, quietly storing credentials and other information that was never meant to live there? Most organizations don’t know. That’s the problem.
For my own credentials, I landed on a split that reflects deliberate decisions rather than defaults.
Most of my passwords live in Bitwarden on their servers. Not because I want them there exactly, but because I evaluated the criteria: open source, independently audited, zero-knowledge architecture, self-hosting option as an exit path. Bitwarden earned that trust. I tried self-hosting with Vaultwarden and realized that rolling my own meant I had no one to blame but myself if something went wrong and no escape hatch if I made a mistake I couldn’t recover from. Knowing that about myself was the security decision.
Last month Bitwarden had a supply chain incident. A compromised third party package in their command line tool, not a breach of the vault or anything most users would ever touch. My first reaction was to dig in and understand what actually happened and whether my setup was at risk. It wasn’t. But I checked. Bitwarden disclosed it. I evaluated it. My trust held. Not because I assumed it would, but because I did the work to find out.
Two factor authentication, using something you know like a password plus something you have like an app on your phone, is one of the most meaningful things you can do for your account security. The app generates codes using a shared secret called a seed. That seed is what lets your app and the service agree it’s really you. My seeds are in 2FAS, which is open source and gives me full control of my own data. I moved away from a previous authenticator when I realized I couldn’t save or access my own seeds. If I lost my phone or needed to switch apps, I was stuck. That’s not a trust decision I was willing to accept. Same criteria as Bitwarden, different risk profile, different decision.
Passkeys live in iCloud Keychain, which I’ll come back to.
Passkeys: The Honest Short Version
Passkeys have been showing up everywhere lately. Maybe you’ve seen the prompt and dismissed it. Maybe you switched it on without fully understanding what you were agreeing to. Here’s my honest read.
Passkeys are a credential that lives on your device, tied to biometrics like TouchID or FaceID. When you authenticate, your device proves to the site that you have the credential without sending anything that can be intercepted or stolen. The security is genuine and not just marketing. Because the credential lives on your device and is tied to the specific site you’re logging into, it’s significantly harder to phish than a password. Attackers are already looking for ways around it, as they always do, but the bar is meaningfully higher than a standard password alone.
The convenience of passkeys is also genuine. TouchID and FaceID mean the friction is essentially zero. Faster than typing a password, more secure than most passwords people actually use.
When we think about passkeys we should compare their security and usefulness against the real workflows that most people use. Compared to reused passwords, browser-stored credentials, and Post-its, passkeys win on both security and convenience.
The honest question nobody talks about enough is platform lock-in. Your passkeys live where you put them. Mine are in iCloud Keychain, which made sense given how I use Apple devices and gives me a deliberate separation from my password manager. That was a choice. If you’re on Android, Google Password Manager is the equivalent. If you’re thinking about this carefully, you’re thinking about what happens to your passkeys if you change platforms.
Since my passkeys and a good portion of my data live in iCloud, I’ve also been thinking seriously about Advanced Data Protection for iCloud, which is Apple’s term for end-to-end encryption of the vast majority of your iCloud data. Even Apple cannot access it. It should be the default. It isn’t. It’s an opt-in, which means most people don’t have it turned on. I don’t either, not because I don’t think it matters, but because turning it on means Apple loses the ability to help me recover my data if something goes wrong. I want to make sure my recovery options are solid before I make that move. That’s probably another post.
For Organizations: Give Your People Tools They Can Trust
If you’re running a business and you haven’t solved credential management for your team, your team has solved it for you. You just don’t know how. Some of them are using their browser. Some are using a personal password manager. Some have made other decisions you’d raise an eyebrow at if you knew.
Give your people tools they can actually trust and understand. Explain why you chose them. Make it easier to do the right thing than the convenient thing. Shadow IT isn’t a people problem. It’s a tools problem.
One Choice Today
I’m not telling you to use a specific tool. What I’m asking is that you make one deliberate choice today for your security. Pick an app, pick a tool. Maybe it’s one I mentioned, maybe not. Maybe it’s something you’re already using, looked at with fresh eyes. Either way, what changes is that it’s a choice you can explain.
Before you hand anything your credentials, ask three questions:
- Can I see how it works?
- Has someone independent checked it?
- Can I get my data out if I need to?
If you can answer those, you’ve made an examined trust decision. That’s the goal. Not perfect security. Examined security. Knowing what you’re trusting and why.
Most people already have a password manager. The question is whether they chose it or inherited it. Whether they know why they trust it or just find it convenient. That gap, between convenience and examined trust, is where most credential problems live.
ADHawk Technical Solutions — Protecting Access. Empowering People.
If you’re not sure whether the tools your team is using have earned that trust, or you want help thinking through what credential management should look like for your organization or household, that’s exactly the kind of conversation ADHawk is built for. Let’s talk.