Note on 2013-01-14: I’ve since had a change of heart. See Snowflake Passwords post. I’m keeping this post here for posterity and future embarassment material.

Many noted security practitioners advise users that they need to ensure that their financial passwords are kept separate from other web services they use. Some even advocate for a unique password for each service they use. Both methods I believe are ultimately flawed as they swing the pendulum of password management from the side of overly simplistic to extremely complicated.

I propose a simple three tier system for easy password management. This system ensures a simple separation of passwords to prevent cross access of your digital life.

The first tier (or the lowest) is known as the simple password. This password is used for random websites & services that you may come across during your journey through the internet. This password would be simple in nature and would fulfill the most basic password requirements. Requirements for this password is that it contains 6-8 characters and a minimum of either one upper case character, number, or special character. Examples include:

  • Password
  • letme1n
  • wh0doneit

The second tier is reserved for passwords of medium complexity. It is reserved for reputable services that could be tied back to your real identity. These services contain no personal information other than your name, birth month/year, and zip code. If the service or website requests more information then that, it likely falls under the third tier of this system. Requirements for this password is 8-12 characters, a minimum of two combinations of a digit, upper case, or a special character. This password also may not contain any dictionary words (even altered). Password examples include:

  • Sup3rS3cr3T
  • Ple4s3_l3t_me_in
  • p4$$w()rD

The third and last tier is for passwords that you absolutely do not want to have disclosed. This tier would include passwords that are linked to your personal identity, financial information, & personal information. To effectively eliminate any compromise, ensure that you only access these services from trusted terminals. Examples of services or sites that would use this tier would be: shopping websites, email accounts, and your bank accounts. Due to the sensitivity of these accounts, I would recommend using separate passwords for each account. If that isn’t possible, ensure that at least your email password is unique. The reason behind this is because generally of your other accounts can be reset via your email. As such, you want to ensure that you protect your email account as much as possible. Requirements for this password is >15 upper or lower case characters, minimum of two numbers, and two special characters. Password examples include:

  • Sup3rS3cr3T_p4$$w0rd
  • dont_hack_ME_br0_12
  • 1984won'thappentome_IHOPE

Please keep in mind that this system may need to be altered to fit specific password requirements for each service. Good luck and be safe!