← Chetan Surpur

The 4+1 Tier Password System for Staying Safe and Sane

Let’s just face it. We’ve all been guilty of reusing passwords. (If you don’t, then I’m not talking to you. Asshole.) And for good reason — it’s just too damn inconvenient to manage unique passwords across the hundreds of services we use. But we can at least be a bit intelligent about it, and achieve a certain level of security with a smart system without having to blow our brains out.

Yesterday’s xkcd about password security sparked a bit of thought and debate across the interblags. I’ve long been using a simple system to manage my passwords, and today I incorporated The Venerable Mr. Munroe’s comic advice. I now give to you…

The 4+1 Tier Password System

Tier 4 - The Bullshits

These are things you don’t care about losing, but you don’t want them to become public property.

  • Includes: Bookmark web apps, library card accounts, StumbleUpon
  • Use: A single 3-word memorable phrase
  • Example: monkeys love diagrams

Tier 3 - The Importants

Things you care about, for which you want privacy and protection.

  • Includes: Email, social networks, blogs
  • Use: A single 4-word phrase with short, memorable words
  • Example: bleach baby hair cyan

Tier 2 - The Mission-Criticals

Services that other people rely on, and would be very, very bad if compromised.

  • Includes: Servers, hosting, shared data drives
  • Use: A single 4-word phrase with obscure words
  • Example: liquidity likens graphical theorems

Tier 1 - The Benjamins

Sensitive financial services.

  • Includes: Bank accounts, PayPal, tax assistants
  • Use: For each service, a 3-word phrase with obscure words + “in” + the name of the service
  • Example: wheatgrass makes octagrams in paypal

Don’t store the passwords anywhere but in your head.

The extra bit at the end of the passwords makes sure they are unique across these sensitive services, but still easy to remember when you try to log in. You might also want to use this trick for your email accounts from Tier 3, since they usually enable password recovery for other services.

Tier 0 - The One To Rule Them All

Use to lock the password-storage services that manage passwords from Tiers 2 - 4. This one is optional and exists for the sake of convenience only.

  • Use: A 4-word phrase with short, obscure words
  • Example: bruisers cremate coaster pylons

Restrict this one to just your head too.

As you’ll be typing out this one the most, make sure the words are easy and fast to type. You might also want to consider crafting it so that the letters are hard to make out as you type them on the keyboard (to keep away prying eyes from guessing the phrase).

For your information, all of the above example passwords are rated as “Strong…typically good enough to safely guard sensitive information like financial records” (by rumkin.com’s password strength analyzer). Even the bullshit one. And I just love what the analyzer says about the Tier 1 password.

A little caveat

Those readers gifted with a little foresight will see there’s a problem brewing up ahead. What happens when you have to change your password because a service got hacked, or it requires you to change your password regularly? Then the whole one-memorable-password-per-tier system breaks down, right? This question plagued me for a while, but then I thought of something cool. Why not use the same technique used for Tier 1?

So when you have to change your password for say, Twitter, from “dogs eat bunnies”, just change it to “dogs eat bunnies on twitter”. Now, when you try to login to Twitter, if “dogs eat bunnies” doesn’t work, then you know to try “dogs eat bunnies on twitter”. And if you have to change the password again, just change it back to your original password. Neat, right? (Yeah, I know, there are some services that don’t let you use the same password you used previously. Fuck them.)

But isn’t reusing passwords tantamount to genocide?

In the end, it’s all about balance. You might naively believe that you can maintain ultimate security using a different password for every service and can keep track of all of them with an encrypted spreadsheet or something, but you’re kidding yourself. You’ll end up getting lazy, and then fall back to a system that ends up becoming the worst of all evils. This tiered system keeps a certain level of security while staying easy and convenient enough that you won’t feel the need to subvert it.

I even flirted with the idea of using a randomly-generated password for each individual service, and locking them all up in one place (like 1Password). But in the end, I realized that I didn’t want to rely on something external to my own mind to be able to log in to my services; it just becomes too damn inconvenient when you don’t have access to it (like when you have to log in from someone else’s device). Being able to log in from pure memory is simply more practical than anything else.

And for even more convenience, I use 1Password to automatically sign me in to most services, and use the Tier 0 password as a master password for it.

Alright, that’s all I got. Enjoy putting off a long fall into the endless void of insanity for another day.

The secret of being a bore is to tell everything. Voltaire