Is the entire password strategy flawed? The short answer – YES!

In *, 2FA, Cloud, Confidentiality, Encryption, OnlyKey, Physical Security, Vulnerabilities by [email protected]

It’s no secret, most of us are really bad at passwords.

  • If you can remember your passwords then you are probably doing it wrong.
  • If you can’t remember your passwords then you are probably trusting a software password manager to do it for you.

As a security professional I often have to make recommendations on password best practices. And here they are:

  • Passwords should be a minimum of 8 characters.
  • No password re-use (unique passwords for every site or application)
  • Change passwords every 90 days (More on this one later)
  • Educate users not to use dictionary based words in passwords
  • Use two-factor authentication (Good luck!)

Password Reality

During security assessments we regularly crack 8 character passwords with dictionary words in them. Replacing the letters in a dictionary word does not help that much either. For example, instead of using Winter16 you use W!nt3r16 guess what, your password will probably still be crackable because the cracking software out there is smart enough to try these modified dictionary words. Realistically, you should go with 10 -15 character passwords if you want to make a password hard to crack or use a completely random password using a random password generator.


Password Strategy Fail

Overwhelmed yet?

Well, it looks like NIST is finally catching on to how ridiculous password policies are and have eliminated the requirement to periodically change passwords (Requirement was every 90 days). I have had this view for years as forcing users to change their password right when they just started remembering it forces other bad practices like just writing passwords down on a sticky note.

There is an easy solution but it begins by understanding that all accounts are not equal. You probably don’t care as much if your Pinterest account is hacked and all of your favorite cat photos are deleted then if your bank account is hacked. Maybe you do, deciding what is important is the key to a realistic solution.

Solution to the [email protected] problem = Prioritization

Once you decide to prioritize make sure to enable two-factor authentication for your most important accounts. This is not always easy since there is no standard two-factor solution out there. This is one of the reasons that OnlyKey was created. We created one device that supports the top three standard two-factor methods in one device (Google Authenticator, Yubikey OTP, and U2F). These methods are supported by the most number of sites and applications out there so chances are if the site supports 2FA OnlyKey is supported.

While most users have hundreds or even thousands of accounts in total, they only have a handful of accounts that are used most frequently and are of the highest priority. Since OnlyKey stores 12 accounts offline in a secure hardware device, these accounts will be given the highest level of protection.

Unlike a software password manager OnlyKey can protect your accounts even if your OnlyKey is unlocked and plugged into a compromised computer. This is because Onlykey is secure by design, you can only write information to the device or wipe that information there is no way to dump the passwords out (Like we have seen with software password managers). You have to physically press the button on the OnlyKey for it to log into a website. OnlyKey is also PIN protected and you enter the PIN directly onto the device itself to unlock so it never passes through the computer.

So are you ready to get serious about protecting your accounts and develop a realistic password strategy?

Step 1. You can pick up an OnlyKey from Amazon or Paypal here.

Purchase OnlyKey

Step 2. We have designed a template to help you prioritize your accounts and secure them accordingly.

You can print this form out and fill it in or just use this as a reference. This is just to help you get an idea of what accounts you have, what accounts require the highest level of security in a hardware password manager, those that require a medium level of security, and those that you may not care about at all.

Password Security Strategy Example

Password Security Strategy Blank (Fill this one in yourself).

Step 3. Once you have your OnlyKey you can use the User’s Guide here to set up your high security accounts.

Step 4. There are two options for your medium security accounts each with trade offs.

Option 1. Use a software password manager like Lastpass or Dashlane. You can actually set up the password for your password manager as one of the accounts on your OnlyKey and set up two-factor authentication for this.

  • Pros – You can use unique and strong passwords for every site and these passwords are stored in the cloud so you can access them anywhere you have internet access.
  • Cons – If a vulnerability in the password manager is exploited (Like this one we mentioned), an attacker will have access to all of your accounts stored in the software password manager in one fell swoop. If this happens you would have been better off to just use one shared password because then at least the attacker would not know what accounts you have.

Option 2. Use a strong shared password that you can remember or you can actually set up this shared password as one of the accounts on your OnlyKey.

  • Pros – No internet access is needed (Logging into local accounts), Convenience!
  • Cons – If a site you use is breached there is a chance that the attacker will then be able to identify other accounts you have with the same password. If this happens you will have to change this password.

Step 5. There are the same two options for your low security accounts as there is for your medium security accounts. Make sure to use a completely different password for your low security accounts and this can also be stored on your OnlyKey.


The approach to password strategy outlined here is ideal because it fits with most people’s existing workflows (some shared passwords), it provides a convenient and realistic approach that most people can live with. The only thing a user needs is an OnlyKey and the only thing they need to remember is their 7-10 digit PIN. This way it is not overly restrictive to where it would cause people to give up on password security. A prioritized risk based approach provides an appropriate level of protection to all accounts while maximizing convenience.