Let’s start by assuming a fictional character Carl who has a bunch of unimportant accounts, perhaps an email full of spam and an online store visited once few years ago. Carl uses the same credentials for each account, and the password is easy to remember – it’s his birthday.

Today Carl needs to sign up on a really important website. From muscle memory, the first intention is to reuse the good old login/password. But what if it’s not so secret anymore? Have I Been Pwned confirms his suspicion. Carl starts to consider his options:

  • Make up a new password for each important account and remember it!
  • Nope, I don’t want to remember passwords which must contain a capital number, two hieroglyphs, an unprintable symbol, and the hyperspace.
  • I can write down them on the piece of paper. With multiple carbon copies to store in different places in case I lose some and then will have to change all the passwords just in case.
  • Probably it’s better to keep them encrypted and digital. Easy backups, fast copy-paste.
  • I can use KeePass and have a nice big encrypted database, readable even on an ancient mobile phone with J2ME, Carl!
    Still, it looks to me as an unnecessary risk to decrypt it all just to access a single secret. Computer, what do you think?
  • Computer says: GnuPG + gopass
  • Cool. Secrets are separated into many small files for independent decryption. And if it’s too command-liny, I can use the front-ends Iike QtPass and Android Password Store
  • At last! All seems in order.
    But wait, what the 2FA is this thing?
  • Oh noes, another password! It’s generated by a website and shown to me only once to QR-scan or copy-paste into a special program. This master secret gets transformed into a continuous stream of 6-digit single-use passwords. New password each minute — impossibru to steal or brute-force!
    Still, it’s as secure as a storage of the master secret.
  • Enters U2F. Master secret is generated by a special hardware device and stored only in it. Login can be as simple as a hardware button press! I can check DongleAuth to see sites which have U2F support.
  • Such device may have multiple functions, including GnuPG encryption.
  • Unfortunately, the device can be broken or lost, as it’s not embedded into my body yet. This means some backup authentication method or a paper backup of the master secret is still needed.

That was a lot of considering and Carl decides to switch his attention to some other things.

P.S. Sometimes passwords are just not needed!