GlassbreakGlassbreak

What happens when your password manager is down?

Glassbreak Team · Published 2026-07-17

"Password manager is down" usually means one of several different things, and each has a different fix: the vendor's service is having an outage, you've forgotten your own master password, you've lost the device or key holding your second factor, your account has been suspended or flagged, or the one person who could grant you access is unreachable. In every case, what actually happens next depends entirely on what recovery path — if any — you set up in advance. Most password managers can't undo a lost master password by design, because a zero-knowledge vendor never has it to give back.

The failure modes, one at a time

SituationWhat typically happensThe gap
Vendor service outageInstalled apps with a cached vault may still work offline; browser-only or web access usually doesn'tShared team vaults and cross-device sync are still down
Forgotten master passwordNo vendor reset (by design, for a zero-knowledge product); recovery kit or emergency contact onlyIf you never set up a recovery kit or contact, the vault is permanently unreachable
Lost 2FA deviceBackup codes, if you saved them, or account-recovery support flowBackup codes stored inside the same locked vault help nobody
Account suspended or lockedSupport-driven identity verification, which can take daysNo fast path during an active incident
Account holder unreachableEmergency-access feature, if configured, after a waiting period (often 24+ hours)Built for one person's account, not a team's shared credentials

Why this matters more for teams than individuals

An individual locked out of their own password manager is a serious personal problem, but it's a bounded one — eventually you regain access or you don't, and either way it's your own accounts affected. A team locked out during an incident is a different shape of problem: the credential you need might be the one that fixes the outage. If your infrastructure password, your SSO admin login, or your on-call paging tool's credential lives in a vault that only one person can unlock, and that person is the one who's unreachable, the outage compounds itself.

The built-in emergency-access features many password managers offer help with the individual case — designate a trusted contact, wait out a delay period, gain access. They're less well suited to a team's shared, on-call reality: they're typically built around one account and one contact, not a rotating set of responders who might need to reach a shared secret on short notice, with a full record of who requested and approved it. For a closer comparison of the two models, see Glassbreak vs. password managers.

Reducing your exposure before it happens

The practical fix isn't choosing a "better" password manager — most reputable ones are solid tools for their core job. It's making sure any credential that a team, not just an individual, might need during an incident has a recovery path that doesn't depend on one person, one device, or one vendor's uptime all being available at the same moment. That generally means: a shared secret with more than one person able to recover it, ideally requiring more than one person's approval rather than any single admin override; a recovery method that doesn't itself live behind the thing it's meant to unlock (backup codes stored inside the locked vault they'd unlock are a common version of this mistake); and, where the stakes are high enough, cross-cloud or cross-vendor redundancy so a single provider's outage doesn't also take out your fallback.

Glassbreak's approach to this is quorum-based secret sharing: team secrets are split so that a threshold of independently authorized members must each approve before one is recovered, and the underlying infrastructure runs across two independent cloud providers rather than one, described on the how it works page. You can read the full cryptographic model, including why Glassbreak itself never holds anything it could decrypt, on the security page.

Frequently asked questions

Can I still access my passwords if my password manager's service is down?
It depends on the app and the vault. Many installed desktop and mobile apps cache an unlocked vault locally, so you can view items you've already loaded even without connectivity to the vendor. Browser extensions and web-only access typically can't, since they authenticate against the vendor's servers on each use. Shared team vaults and any admin-driven recovery generally require the service to be reachable regardless of caching.
What if I forgot my master password and the vendor can't reset it?
For a zero-knowledge password manager, this is often true by design: the vendor never has your master password or an unencrypted copy of your vault, so a support agent genuinely can't reset it for you. Your options are usually a recovery kit or key you generated and stored separately when you set up the account, a designated emergency contact (after a waiting period), or, if neither exists, permanent loss of that vault's contents.
Is a team emergency-access feature the same as a break-glass procedure?
Not quite. A password manager's built-in emergency-access feature is usually built for one person's account and one designated contact, with a fixed waiting period. A break-glass procedure is broader: it defines who can trigger emergency access to any critical system, what approval is required, and what gets logged — it can incorporate a tool like a password manager's emergency access, but it's the surrounding process, not a single vendor feature. See [what is a break-glass procedure](/answers/what-is-a-break-glass-procedure) for the fuller definition.
Should a team rely on one person's password manager account for shared credentials?
This is one of the more common single points of failure in small teams: a handful of shared logins living in one person's personal vault, shared out via a browser-extension feature. If that person leaves, loses their device, or is simply on a plane during an incident, the whole team is locked out of things they need. A shared team vault with more than one person able to recover it — or quorum-based recovery specifically — removes that dependency.

Stay Updated

Get product updates and security insights. No spam, unsubscribe anytime.

We respect your privacy. See our privacy policy.