Why Passwords Aren't The Problem

A Different Approach to Remembering Passwords

Introduction

    As someone who has been reading on computer security for a very long time, and also someone with a CompTIA Security+ and many hours teaching computer security, I'd like to give a contrary opinion to what I see the computer security market doing right now.  You see, the whole computer security market right now seems to be pushing people towards password managers, saying passwords aren't secure.  I completely disagree because I think most of this is a root problem of human laziness, not of passwords themselves.  I would point out that there are computer security pundits who have already expressed skepticism in password managers.  I would ask people to reconsider because of the following reasons.

Claims of Passwords being Hard to Remember

    One of the first complaints levied against passwords is that they are not user friendly.  People claim that secure passwords are hard to remember.  I disagree for a reason I call the Macbeth hypothesis.

    You see, many teenagers memorize the famous "To Be or Not To Be" stanza of Shakespeare's play Macbeth.  It's usually quoted as a stanza of 33 lines and 262 words.  Many other teenagers in US schools memorize it to either be part of Macbeth or to audition for a part in Macbeth.  Indeed, many people memorize the lines of the entire part they play in Macbeth in order to be a part of that play.  Given the way human memory works, if you ask any of us to recall a line from the middle of the stanza, we can't, but if you give us the first few words to any part of this stanza, we can begin reciting the entire rest of the stanza.  This is because human memory uses speech and movement patterns to memorize, as well as sounds.

    Thus if teenagers, who are notoriously forgetful due to their psychosocial development stage, can memorize 262 words if they put their mind to it, almost any human being can remember a password of any complexity less than this 262 word stanza.  The solution is the same as anyone in a drama club can tell you: repetition.  Keep reading it, listening to it, writing it.

    So claims that passwords are not user friendly are probably true, but the missing element is human motivation.  If you're doing this to prevent a hack, you'll have the motivation to do it.  The problem is more human laziness, in that we cannot be bothered to do something that is good for us.  I say this as a fellow lazy human being: if I can find a reason not to go to the gym to do cardiovascular exercise, I'll find it.  But knowing that about myself is actually the solution: knowing that I must tell myself to do something that's good for me means I will usually do it.

Claims of Too Many Accounts

    Many I speak with claim the problem is they have 100+ accounts.  I find this sometimes hard to believe, but I think most of this is actually due to a problem within the tech industry.  You see, many websites that have a product you want ask you to log in because they benefit from your data.  Don't.  If you can check out as guest using PayPal (not authenticate with PayPal, but check out with PayPal) then do it.

    Or if you just can't do it any other way, create an account but give them the very bare minimum information they need in order to grant you an account.  If they ask for your birthday, lie.  Don't give any website your birthday unless you trust them with your economic status.  I have my birthday on very very few websites.  Make up a fictional birthday and use that for everything.

    When there's no other way, evaluate the results of compromise.  Would this website leaking your info destroy you financially, or just be a minor nuisance?  Unfortunately, these days everyone's name, address, and phone are more or less public knowledge due to bad and/or negligent companies.

The Problem With Password Managers

    The problem is that password managers are single point of failure.  We already endured the LastPass incident, and now even an open source version, KeePass, just got compromised (CVE-2023-32784).  Both compromises led to passwords being compromised.  If you put all your passwords in a password manager, you basically create a single point of failure.  A hacker can compromise your password manager and then they have all the keys to your kingdom.

    The only secure storage location is your own brain.  Anything that can be engineered can be reverse engineered.  Anything that can be coded can be decoded.  Everything online eventually becomes public knowledge.  The odds of you being abducted by men wearing black in a blacked out van with Uzis is basically 0% in the United States: so memorize your passwords.

Claims of Password Stealing

    True, passwords can be stolen.  If you're wondering, I'm using this article for my headings.  I am not suggesting that memorizing complex passwords (above) can prevent a breach.  However, I think the majority of this, since it's happened to me before after a breach, are actually in part due to the lackluster security of certain websites.

    Major websites like Apple, Google, Microsoft and PayPal are going to protect your password using two factor authentication (2FA).  Using 2FA is one very good way to prevent a stolen password from causing a problem.

    But the problem with this claim is that everything can be stolen.  Your face can be stolen off of social media and used to trick facial recognition.  Security keys like Yubikey, though I love them, can be stolen.  Your laptop or other devices can be stolen.  Your sim card can be compromised in your phone, leading to your 2FA SMS messages being intercepted.  There is no method that is immune to being stolen, therefore it's not a logical complaint that passwords can be stolen.

Claims of Password Guessing

    The website at iproov.com claims that passwords can be guessed.  Not really: if you use very good passwords, it will take a very long time for them to guess your password.  And again, why would you shop at or use a website that doesn't have automatic account lock-out?  They're just making your password easier to guess.  Again, any website that doesn't have at least auto lock-out security is one you shouldn't shop at.

My System

    In the year 2000, I created my password system.  I had multiple messaging accounts and I had been (once again) reading alt.2600 and DEFCON stuff.  I read that the best security is at least NIST's 6 digit password of complete random characters and numbers, in order to have enough entropy to avoid a hack.  So I sat down and memorized a bunch of passwords that exceeded this requirement.  Now it's 2023, as of writing this, and I've never been hacked to my knowledge.

    The good passwords are used only on websites that have 2FA, and usually I use only Yubikey.  I wrote down just the first digit to all my passwords in a secure storage medium.  That way I didn't write the whole password down, just the first digit, and the rest of the password still exceeds NIST's entropy requirements.  So when I get to a website that requires a high security password, I just pick one, or two if I have to link them together.  I rotate the passwords.

    Then for throw-away websites, I first try to check-out using PayPal as a guest.  If it doesn't let me, then I use a common throw-away password that is still complex enough to be useful.  All the throw-away accounts use the same one, and if one is compromised, I lose nothing because throw-away accounts get only my name, email, and address for shipping purposes.  I never store credit cards on any website that doesn't have strong 2FA.  Indeed, mostly I use PayPal anyways.

    So I have a two-tiered approach.  If one of my secure passwords gets compromised, which isn't likely, 1) I have another I can quickly substitute and 2) I can quickly change all the others (have fun guessing which ones are used where).