Because password disclosure is in the headlines yet again, I’m going to put my password scheme out there to get some feedback.
It’s been argued “It’s not as if the passcode itself does anything for the government.” — but what if that wasn’t so?
My proposal is as follows:
Concerned U.S. citizens should use strong randomly generated passwords, known only to their password manager software, and not themselves. To protect the password manager, use a passphrase - a sentence - that is, itself, an admission of a “major” crime. I call this the “confessional passphrase”.
Sounds silly? Not so fast.
Even if you are one of the exceedingly rare individuals that does not regularly commit felonies, there are thousands upon thousands of victimless potential felonies you can choose to commit for the purposes of generating your passphrase, and a usual statute of limitions of 3 years for cycling the passphrase.
[Edit: Depending on the confessional content of the passphrase, the statute of limitations may be 7 years, or even your lifetime.]
My passphrase? “On June 7 2019 I …”
There may be concerns with using password manager software, keeping all your eggs in one basket, so to speak, but it isn’t practical or safe to be required to commit a felony per password needed, and many sites will not allow a long “confessional passphrase”. There is also the risk of individual passwords being compromised in data breaches, so I think it’s best that your “confessional passphrase” be kept solely between you and your password manager software.
I’d love to hear some feedback on how this might be expected to hold up.