3-Tier Password Management
Password Managers — Outlook
According to NordPass, the number of passwords owned by an average person stands at 168, with an upward trend. Password managers have been widely recommended to discourage password reuse. However, consolidating all your passwords into a basket and using “one key to rule them all” might not be ideal, especially considering the interdependence of accounts in the event of lateral movements.
Additionally, with MFA codes increasingly synchronised to the cloud, as seen with Microsoft and Google Authenticators, there is a growing risk of creating a single point of failure.
I wanted to share my risk-based password management strategy, rooted in the concept of “segregation”, and see if that resonates with you. I manage my passwords in 3 buckets, ensuring that even the compromise of a lower-tied bucket wouldn’t allow the lateral compromise of higher-tiered buckets (no read-up).
Tier 3 — Convenience
The lowest-tiered passwords are what I use for my day-to-day operations — the same password manager, but one account for work (except SSO) and one account for personal.
These are application sites, including eCommerce, hotels, throw-away accounts, subscriptions, etc. I opt for convenience over overt security for these.
- The password manager offers password synchronisation to the cloud across my devices? I’ll take it.
- The browser extension stores and auto-fills passwords and passkey? Go for it.
- Unlocks using biometrics? Hit me.
- Check my passwords against the dark web leaks? I’m indifferent.
- Automatically changing my passwords on my behalf? Be my guest.
Passwords are transparent to me at this tier, just like passwordless systems.
Tier 2 — Identity
In the next tier, passwords are used for my banking sites, SSO, government portals, telcos, email accounts — anything that can assume my identity. I use an offline password manager that can only be accessed with a key and password. The Keystore is backed up on one cloud storage while the key is backed up on another. The password to this password manager is stored in my Tier 1 system.
Tier 1 — Me
To put numbers in perspective, I’d probably have 700 passwords in tier 3 (just because I don’t bother cleaning up), 100 in tier 2, and 5–10 for tier 1.
For this handful of passwords in tier 1, I do it the old-fashioned way — memorise them. The only way to get them from me is if you subject me to torture (I might write some of them on paper kept in my safe as well for emergencies).
There you have it, my 3-tier password management structure.
