Let’s just face it. We’ve all been guilty of reusing passwords. (If you don’t, then I’m not talking to you. Asshole.) And for good reason — it’s just too damn inconvenient to manage unique passwords across the hundreds of services we use. But we can at least be a bit intelligent about it, and achieve a certain level of security with a smart system without having to blow our brains out.
Yesterday’s xkcd about password security sparked a bit of thought and debate across the interblags. I’ve long been using a simple system to manage my passwords, and today I incorporated The Venerable Mr. Munroe’s comic advice. I now give to you…
These are things you don’t care about losing, but you don’t want them to become public property.
Things you care about, for which you want privacy and protection.
Services that other people rely on, and would be very, very bad if compromised.
Sensitive financial services.
Don’t store the passwords anywhere but in your head.
The extra bit at the end of the passwords makes sure they are unique across these sensitive services, but still easy to remember when you try to log in. You might also want to use this trick for your email accounts from Tier 3, since they usually enable password recovery for other services.
Use to lock the password-storage services that manage passwords from Tiers 2 - 4. This one is optional and exists for the sake of convenience only.
Restrict this one to just your head too.
As you’ll be typing out this one the most, make sure the words are easy and fast to type. You might also want to consider crafting it so that the letters are hard to make out as you type them on the keyboard (to keep away prying eyes from guessing the phrase).
For your information, all of the above example passwords are rated as “Strong…typically good enough to safely guard sensitive information like financial records” (by rumkin.com’s password strength analyzer). Even the bullshit one. And I just love what the analyzer says about the Tier 1 password.
Those readers gifted with a little foresight will see there’s a problem brewing up ahead. What happens when you have to change your password because a service got hacked, or it requires you to change your password regularly? Then the whole one-memorable-password-per-tier system breaks down, right? This question plagued me for a while, but then I thought of something cool. Why not use the same technique used for Tier 1?
So when you have to change your password for say, Twitter, from “dogs eat bunnies”, just change it to “dogs eat bunnies on twitter”. Now, when you try to login to Twitter, if “dogs eat bunnies” doesn’t work, then you know to try “dogs eat bunnies on twitter”. And if you have to change the password again, just change it back to your original password. Neat, right? (Yeah, I know, there are some services that don’t let you use the same password you used previously. Fuck them.)
In the end, it’s all about balance. You might naively believe that you can maintain ultimate security using a different password for every service and can keep track of all of them with an encrypted spreadsheet or something, but you’re kidding yourself. You’ll end up getting lazy, and then fall back to a system that ends up becoming the worst of all evils. This tiered system keeps a certain level of security while staying easy and convenient enough that you won’t feel the need to subvert it.
I even flirted with the idea of using a randomly-generated password for each individual service, and locking them all up in one place (like 1Password). But in the end, I realized that I didn’t want to rely on something external to my own mind to be able to log in to my services; it just becomes too damn inconvenient when you don’t have access to it (like when you have to log in from someone else’s device). Being able to log in from pure memory is simply more practical than anything else.
And for even more convenience, I use 1Password to automatically sign me in to most services, and use the Tier 0 password as a master password for it.
Alright, that’s all I got. Enjoy putting off a long fall into the endless void of insanity for another day.