With the recent password database break-ins at some very high-profile companies, those whose passwords were exposed should change their passwords, and consider using a tiered password structure, along with tiered email addresses.

A tiered password structure is a list of passwords that you use for different types of accounts, where the complexity of the password depends on what the exposure would be if that password is obtained. For example, for your bank accounts, you might create a very difficult and highly random password that you could never possibly remember. Since this will be stored in a secured password database, and copied and pasted when used, you won’t have to worry about remembering it. Many tools like GPG or PasswordSafe are available to save passwords in a list like this. You might opt for better security by using a different password for each top-tier account. Or you might share a very difficult password among your top-tiered accounts, which would be less secure but still good enough with very high probability. Security is always a probability equation. Another best practice which greatly decreases password comprimise is to change passwords frequently.

Some key items to remember when using Tiered passwords:

  • Use a random password generation tool to generate your passwords. Here is an example an online random password generation tool: https://www.random.org/passwords.
  • Change the passwords in your password file regularly. This shouldn’t be that hard to do, if you already have them in one place. You might use some automatic calendar reminder tool to prod you to do so every 60 or 90 days.
  • You will need a “master password” for your password database. This will be something that you should probably commit to memory since you will need it when accessing your password database. Fortunately you don’t have to worry about changing it very frequently at all. There are ways to create very random yet “pronounceable” passwords. These can be a good choice for master passwords. Most people are able to remember at least one very difficult password long-term. For backup purposes you might write it down and secure it in your safe. You might also include this password and instructions accessing your password file in your will.
  • For some websites where you store very basic information, you might decide to use credentials that are easy to remember and skip the periodic password changes. These credentials would be websites that required only email address/password registration, stored no credit card, billing or other information.
  • Make sure you back up your password database (or file, as it were, if using good old GPG), and test a restore, to make sure that a disk failure won’t mean the end to your password list.

© Copyright 2020 Rex Consulting, Inc. – All rights reserved