

The 4+1 Tier Password System for Staying Safe and Sane - chetan51
http://chetansurpur.com/blog/2011/8/tiered-passwords.html

======
mustpax
Well written article but this password scheme is neither convenient nor
feasible for lay persons. You have to remember 5 different passwords and also
remember which websites belong each category. If you're an active enough
internet user that you need 4/5 password tiers, you're going to have plenty of
websites that straddle the line between BS and important. This sort of fine-
grained categorization just adds to the cognitive overload, which is the
current problem with password management we're trying to solve.

I'm pretty convinced that the right solution is to use a password manager with
one very strong password that you memorize.

------
nfm
Some good thoughts here.

Perhaps it would be better to have a more obscure suffix for Tier 1 passwords.
Otherwise, if a password is compromised, a motivated attacker wouldn't have
much trouble guessing your other Tier 1 passwords.

"wheatgrass makes octagrams in paypal" leads trivially to "wheatgrass makes
octagrams in gmail" and "wheatgrass makes octagrams in #{bank_of_choice}".

~~~
chetan51
Good point. What would you use as a suffix then?

~~~
nfm
You could transpose the word in some way. So maybe move each letter two keys
to the right - 'p' becomes ']', 'a' is 'd' and so on. They you end up with
']di]dl' instead of 'paypal', which is a bit more obscure. It might not work
so well if the rest of your passphrase is made up of dictionary words.

I'm a bit paranoid though - most compromises aren't targeted and if a hacker
gets a list of 20,000 hashes to crack they aren't going to inspect them
individually.

------
godarderik
I don't think that my email is only a Tier 3. I have half of my online
communications in Gmail and would be very upset if it were compromised.

~~~
mikeburrelljr
EMAIL deserves to be TIER 1 in the regards that if one breaks this layer of
security, they are often able to gain access to most anything, including
financial institutions.

------
tednaleid
I disagree with password schemes like this. Every website should have a unique
password. Sharing a password across websites based on their "tier", opens you
up to an entire tier getting cracked if any website is compromised. That's
inexcusable.

You should not know most of your passwords.

You should only need to remember one password, the one that opens up your
password vault and gives you access to the other massively strong passwords
that you never need to even type, let alone memorize. With tools like
1password and lastpass, this is doable today.

Also? Many banking websites have really shitty password restrictions that
prevent truly strong passwords, especially if you use things humans can
remember. Wells Fargo has a 14 character max. Vanguard has a 10 character max
(though they say it's 50, it's not). Discover has a 10 character max. I'm sure
there are others just as bad.

------
dougws
I'm amazed that an XKCD comic has inspired at least 3 front-page articles on
HN. I think passwords are one of those things that, even in the tech world,
people know that they should do better at but just haven't gotten around to it
yet. That certainly includes me, and I think I may switch to the system
outlined in this post.

------
sardonicbryan
The one issue I haven't seen addressed in any of these password posts is that
many sites/services (like my corporate login, for example) require you to use
both numbers and capitalization. So what I've started doing is using the same
3 word combo with l33t substitutions, capitalization and punctuation and the
first n (like I'm telling you guys) letteres from the service I'm logging into
added to the end.

------
chetan51
Note about Email in Tier 3 -- it's logically placed in Tier 3, but actually
has the same security mechanism as Tier 1. The reason it's placed in Tier 3 is
that if it's compromised, it at least doesn't directly compromise Tier 1.

------
fourspace
Nice writeup. I've been using a system like this for years, having reached
many of the same conclusions.

The only wrinkle is when sites require you to use capital letters, special
characters, restrict password length, etc.

~~~
jayfuerstenberg
Agreed. What makes a password secure is the uncertainties surrounding it. The
characters that comprise it and the length should be as freeform as possible.
Then hackers can't make any assumptions.

This is in fact how password generation is implemented in KEYBOX (
<http://www.jayfuerstenberg.com/keybox/> ). The only problem is some sites
don't always accept the passwords KEYBOX generates for you.

------
Vitaly
Email is tier 3?!!! This is insane. There is not much more important then your
primary email account! Primarily because you can get access to pretty much
anything once you break into email.

------
jogloran
The whole point of a 'pick random words' scheme is to maximise the amount of
entropy. With every stipulation on the form of the words you make your scheme
ever so slightly less effective.

