Some Passwords Are More Equal Than Others
Updated: Jun 10, 2022
Apologies to George Orwell, but like his animals in Animal Farm, some passwords are more equal than others. The problem with password-based security is the "all passwords are equally important" mentality. They simply are not. All security needs are not the same.
I classify passwords into three distinct categories, "Secret," "Most Secret," and "Eyes Only," and treat each differently.
The SECRET category is for those digital services with low risk. This includes free trials where no credit card is involved, apps that do not have the capability for in-app purchases, newsletters, and so forth. For this category, browser password storage with autofill is perfectly acceptable. Even so, I recommend using an external tool to generate the password and using a minimum length of 16 characters (but 20 is better) with random symbols and numbers. I recommend the free tool at https://passwordsgenerator.net/
Here is an example of a good password:
Then, let the browser store it, and don't even bother to write it down — if you lose it, you can always hit the "forgot password" link and reset it to a new one. The long, painful password is no big deal because you will let the machine handle it. Accounts protected this way are acceptably secure and relatively unlikely to be hacked, but the key is that there is little risk. No one can steal anything from you even if hacked because it's not a bank account, and there's no credit card on file. Of course, they might impersonate you in some other circumstance, but there is minimal damage they can do for the most part, and browser storage is acceptably secure.
For real accounts, for, say, your bank account ID, let's step up to the next level: MOST SECRET. We make the password longer (20 characters, minimum, 24 is better) and add 2FA. We apply the "most secret" category to those accounts with financial risk. This applies to banks and similar cases where someone gaining access can get your money. In such cases, 2FA is mandatory — non-negotiable.
What's 2FA? It stands for Two-Factor Authentication. The TL;DR is that it needs TWO things to access. A Password and a Key.
There are three forms of 2FA. SMS-based, Authenticator-based, and hardware-based. There is a 4th form, "secret questions," that we should NEVER use. If your bank or other institution forces "security questions" on you, I recommend (1) Write a scathing letter to customer support, and refer them to THIS ARTICLE. (2) Make up lying, nonsensical answers and write them down on paper somewhere you can find easily if you need them. (3) As quickly as possible, take your business elsewhere. Don't do business with any institution with weak cybersecurity, if possible.
For MOST SECRET services, we make the password even longer than the "Secret" category, though we still allow the browser to store it. Generally, you don't need to write it down because you can still hit the 'reset password' link if you lose it. However, writing it down somewhere safe is not a bad thing. We'll talk about how and where to do that another time.
While SMS-based 2FA is not entirely awful, it carries significant risks from SIM-jacking. Unfortunately, many institutions give you no choice, so you are stuck with SMS-based 2FA. If that's all your institution allows, then use it but complain loudly to their customer service department and demand they support authenticator-based 2FA.
I strongly recommend using a software authenticator. Google, Microsoft, and Facebook provide free 2FA authenticators. There are also free alternatives such as Authy and open-source tools such as KeePass, Aegis, and andOTP. Although the authenticators provided by the web giants are fine, I am always reluctant to move deeper into the entrenched software giants' ecosystems. I use and recommend Authy.
The gold standard for 2FA is a hardware key, such as a YubiKey, but YubiKeys cost money and are a pain to use. If you are protecting a significant asset, I recommend YubiKeys, but they are hardcore, that is, overkill for most users and applications.
Browser storage of the "most secret" passwords is marginally acceptable, as long as the 2FA is solid, but I prefer an open-source password manager such as Bitwarden. In either case, they store your password, and thus, you do not directly control it, but the extra layer of having 2FA mitigates this risk.
Finally, "EYES ONLY" passwords are a special and unique category. I have often said if you want to keep it secret, don't put it on a computer. This category of passwords is the perfect example of a secret you never keep on a computer. "Eyes-only" means no password storage anywhere on the computer or in the cloud. Instead, write it down in a book and lock the book in a safe. I'm not exaggerating! But more importantly, memorize it — don't trust it to any password manager or browser storage. Never store it on your computer in a text file or even an image. Pen and ink on paper and your brain cells are the only places to keep this password.
Of course, 2FA is a must, but absolutely NOT the SMS-based variety and I strongly recommend using Yubikeys. But the kicker is we do not use passwords at all. We use passphrases or code words. A passphrase is a kind of password that uses a series of words, separated by spaces or not—it doesn't much matter. "CorrectHorseBatteryStaple" is a perfectly good passphrase though I recommend longer. Passphrases are easier to remember and amenable to using a mnemonic device.
Five words should be sufficient. Eight is better. You can do number/letter substitutions, but that only makes a slight improvement, if any. I prefer doing so but am under no illusions. Sheer length is what makes it secure. There is a reason most crypto wallets use 24 dictionary words.
Don't choose common words, and don't choose famous quotes or sayings. The words should be as random as possible.
e.g., "5cience b1ogger sa1d tes1a texa5 count5 trucks cars" would be an excellent passphrase that one could easily remember. It is almost a sensible sentence, close enough to remember but unlikely to be guessed. Write it down with paper and ink only, don't let a password manager or browser store it, and combine it with 2FA, preferably using a Yubikey, and you can trust it to be secure until the next millennium.
Code Words are a very similar technique used for crypto-wallets. They consist of twelve or twenty-four words used to encode a wallet to the blockchain. Again, write them down, paper and ink, and put them in a safe: no computer files, no pictures. A crypto wallet can hold real money and a significant amount of it. Losing those code words means losing the money, and possessing them means having the money. Protect them. But don't take them to your grave, either. Write them down and ensure they are safely stored where your family can get them if needed.
In closing, all passwords are not equal because the assets we protect are not equally valuable. Therefore, adjust your password policy to accommodate the value of the asset you are guarding.