GlassbreakGlassbreak

Glassbreak vs Spreadsheets and Sealed Envelopes

Glassbreak Team · Published 2026-07-17 · Facts checked 2026-07-17

Ask most teams what their break-glass plan is and the honest answer is rarely a product — it's a shared spreadsheet of passwords, a document sitting in a shared drive, or a sealed envelope in a physical safe. This page is about what that actually costs you, and where, for a genuinely small case, it's a fine tradeoff.

What spreadsheets and sealed envelopes solve

These methods persist because they solve the immediate problem cheaply: write the password down somewhere, tell the people who might need it, done. A spreadsheet is instantly familiar, needs no new tool, and works for anyone who can open a shared drive. A sealed envelope in a safe adds a physical barrier and a sense of ceremony — someone has to notice it's been opened. For a small team with one or two shared credentials and total mutual trust, that's often genuinely enough, and it's worth saying so plainly rather than pretending every team needs cryptographic quorum recovery.

Where informal methods break down

The problems show up as the team, the secret, or the stakes grow, and they tend to show up at the worst possible moment — during the actual emergency the plan was supposed to cover.

No encryption the storage provider can't read. A password spreadsheet in a shared drive is protected by account access controls, not by encryption the provider itself is locked out of. If that account, that drive, or that provider is ever compromised, the plaintext passwords go with it. Glassbreak encrypts secrets client-side before they ever leave the device that created them; the server stores ciphertext it cannot decrypt on its own.

No per-person audit trail. A spreadsheet doesn't record who actually opened which row and when — only who has edit access to the whole file, if that. An opened envelope doesn't record who opened it unless someone happens to notice and write it down. Glassbreak logs every trigger, approval, and access — successful or not — as part of the recovery flow itself, meant to be reviewed after the fact.

No revocation, only access removal. Removing someone from a shared drive stops future access to the file, but it doesn't undo what they already saw, screenshotted, or copied while they had access — and if the underlying secret hasn't been rotated, they may still be able to use it directly. Glassbreak doesn't solve rotation either, but its access model at least ensures no one holds a usable copy of a team secret without a recorded, quorum-approved event.

One person is the actual single point of failure. The envelope's safe combination, or edit access to "the sheet," usually lives with one person by default — often without anyone deciding that on purpose. That's precisely the failure mode break-glass planning exists to remove. Glassbreak's team secrets are split with Shamir's Secret Sharing (T-of-N, T at least 2): below the threshold, no subset of shares — including anything the server holds — carries any information about the key, so no single person's absence or compromise is fatal.

Nothing alerts anyone. A spreadsheet and an envelope are both passive — someone has to already know to go look. Glassbreak pairs quorum recovery with emergency messaging, call trees, and escalation rules, so the right people are actually notified when a break-glass event happens, not just theoretically able to find out.

When a spreadsheet or envelope is genuinely enough

If the actual situation is one low-sensitivity shared password among a couple of people who trust each other completely, with nothing regulated and no audit expectation, adding quorum cryptography is legitimately more than the problem needs — an informal method is an honest, reasonable choice. The tradeoff gets worse as any one of these grows: how many people need access, how sensitive the secret is, how often the team's membership changes, or whether anyone outside the team (an auditor, a regulator, a customer) will ever ask who can access what. If you're still on paper or a spreadsheet but want to raise the floor without a full platform switch, our guide on how to store team recovery codes covers the lower-effort middle ground.

The comparison

Spreadsheets & sealed envelopesGlassbreak
Encryption at restUsually none beyond drive/account access controlsClient-side encryption before data leaves the device; server holds ciphertext only
Recovery modelOne person typically holds sole access (edit rights, safe combination)Shamir's Secret Sharing, T-of-N quorum (T>=2); no single person unlocks a team secret
Audit trailNone, or informal (a note that the envelope was opened)Every trigger, approval, and access logged as part of the recovery flow
RevocationRemoving drive access doesn't undo prior exposureQuorum-approved access model; no standing single-person copy of the secret
AlertingPassive — someone has to already know to lookEmergency messaging, call trees, and automatic escalation
Cost/setupEffectively free, zero setupFree plan available; paid tiers add scale and compliance features

Getting started

Glassbreak's Free plan supports one team of up to 5 members, 2 responder seats, and 10 encrypted secrets — a low-friction upgrade path from a spreadsheet or envelope that doesn't require convincing anyone to pay first. Paid Team ($15) and Business ($39) plans, billed per responder seat, add unlimited secrets, playbooks, and escalation rules for teams that have outgrown the informal version. Read the full cryptographic design on the security page and the two-cloud infrastructure behind it on how it works, or see how small teams typically make this move in Glassbreak for Small Business. Paid billing is rolling out during early access — you can request early access today, and the Free plan has no time limit while you wait.

Frequently asked questions

Isn't a sealed envelope in a safe actually pretty secure?
Physically, often yes — a locked safe resists casual access. What it doesn't provide is anything digital does by default: an audit trail of who opened it and when, a way to revoke access without physically changing the lock, or a way to notify a whole team the moment it's opened. It also has a single point of failure that isn't obvious until it matters: exactly one person usually knows the combination or has a key.
What's actually wrong with a shared spreadsheet of passwords?
Mainly three things. It's rarely encrypted at rest — most spreadsheet and shared-drive tools protect the file with account access, not with encryption the provider itself can't read. Anyone with edit access can see everything in it, not just what they need. And when someone leaves the team, removing their access to the underlying drive doesn't retroactively un-see what they already read or exported.
When is an informal method like this actually fine?
When the stakes are genuinely low: a single non-sensitive shared password among two or three people who trust each other completely, nothing subject to a compliance requirement, and no regulatory or audit expectation that access is logged. A lot of small teams are in exactly that position, and building quorum cryptography for it is unnecessary overhead.
What's the actual trigger for outgrowing a spreadsheet or envelope?
Usually one of: the secret is sensitive enough that one leaked copy is a real incident, more than a handful of people need access at different times, someone leaves the team and you can't be certain what they saw, or an auditor, regulator, or customer starts asking who can access what and when. Any of those is a sign the informal method has quietly become the actual risk.

Stay Updated

Get product updates and security insights. No spam, unsubscribe anytime.

We respect your privacy. See our privacy policy.