The Password Manifesto

A Password Bill of Rights for Humankind

Published on June 25, 2025

🔐 The Password Manifesto

We, the users, are done with the illusion of security and the burden of poor UX disguised as best practice. We demand a smarter, safer, and saner way forward. To all Password Keepers — whether corporations, dev teams, or lone sysadmins guarding the gate — these are our non-negotiables.

To wit, we demand that you:

  1. Require Passkeys or Multi-Factor Authentication This should not be optional.

    • Level 2. Use a common MFA validator, like Google Authenticator, where we can keep dozens of our sites together.

  2. Send Clear Tokens 43A26B is good. 0O1L1l5S is just utter garbage.

    • Level 2. If you are going to have similar looking characters side-by-side, use a font that makes 0s, Os, Ls, ls, 5s and Ss distinctive.

  3. Automatically Focus on Inputs When you send an MFA token, automatically focus on the input. When we are looking at our authenticator and start typing, your input should be ready to accept input. MFA tokens expire, so time is of the essence.

    • Level 2. When the last digit is typed, just automatically verify. Don't make us find a submit button, or hit enter.

  4. Stop Duplicate Verification When we create a password, do not require us to verify it a second time. If we entered it wrong, it should be easy for us to reset via email & MFA.

    • Level 2. Give us a button to just show the password as we enter it. Most of us don't have spies looking over our shoulder as we reset our Instagram password. If we do, we won't click the button.

  5. Automatically Log Us In. When we reset a password via an email link, don't make us login again after resetting. We just passed your tests and reset the password, so create a new login token and send us on our way.

    • Level 2. If you think a CAPTCHA stops bots, you are living in 1998. Stop making us guess a cryptic set of characters, or listen to some weird Blair Witch sounding audio clip to continue. Build better heuristics or don't bother.

  6. Stop Using Usernames. Use email for logins, always. Full stop. No phone numbers. No usernames. If you want cutesy usernames, that is a profile preference. Users do not want to try to remember a username they created 12 years ago.

    • Level 2. Allow a user to provide as many backup emails as they want in case they need to reset. Not phone numbers. Phone numbers are leased. Email addresses are owned.

  7. Stop Hostile Validation. We are done with the "9 characters, alphanumerics with one capital, one lowercase, and a special character." validation. This only makes it hard for a person to remember, but easy for a computer to guess. Passphrases like Arizona sunsets are my favorite contain more bits of entropy, making it harder for a computer to guess than ap4%53x?g, while still being easier for a human to remember.

  8. Stop Pre-Validating We don't want a red error message yelling at us and saying our password doesn't meet the criteria before we have even finished typing it in, or if we momentarily shift focus to another field.

    • Level 2. If your application, for some reason, needs to have really special password criteria, give the user an option to generate one that fits into your password scheme. They're just going to save it to their password manager anyway.

  9. Increase Password Length If I want to enter the opening paragraph of "The Great Gatsby" as my password, let me. That is a stronger, harder to guess password than BruhRoxx69!.

    • Level 2. It doesn't have to be NVARCHAR(MAX), but do allow for long entries

  10. End Security Questions These are relics. Hackers can almost always find any of this information, and it just increases user anxiety. Nobody remembers if they wrote "Bearcats," "bearcats," or "The Bearcats" for their high school mascot in 2009. These are hacker fodder and user nightmares.

    • Level 2. If you are using security questions like "what is the last 4 of your social security number" or "what is your date of birth" you have already lost. All of these are easily found by a hacker. Get rid of them entirely.

  11. Don't Pretend to Remember Me. You don't plan to remember me. Get rid of that checkbox. It works mostly nowhere, it takes up useless space, and we all know you won't remember us.

🛡️ Responsibility of Password Keepers

Security theater isn't enough. Real security requires real responsibility.

  1. Secure Your Infrastructure The most severe leaks come from avoidable internal compromises, publicly hosted cloud file systems, and unpatched servers — not Chad's weak password or Becky's Post-It note on her monitor. Secure your endpoints, segment your networks, and monitor everything.

  2. Hash and Salt Passwords If you're storing plaintext passwords, you don't belong in this industry. Use proper hashing (e.g., Argon2, bcrypt, SHA-256, SHA-512) with random salts. No exceptions.

  3. Encrypt User Data Personal data must be encrypted at rest and in transit. Use the latest TLS and AES. If you're storing personally identifiable information in plaintext, you're the problem.

  4. Provide MFA There's no excuse. It's the best widely-available security we have. Implement it. Turn it on.

  5. Know Your Staff In banking, there is a concept called "KYC" for "Know Your Customer" to identify fraud or money laundering. You, as a password keeper, have a responsibility to know who is coding your applications and infrastructure. We are not here to blame outsourcing or contractors, but if you are storing secure information, you had better know the people writing the code.

🏛️ Responsibility of Legislators

We're done accepting "free credit monitoring" or "we made them pay a fine" as justice for when our information gets stolen and sold. This disrupts lives, bankrupts people, and causes severe emotional distress for many.

  1. Hold Executives Accountable High pay = high responsibility. If negligence, ignorance, or apathy results in a breach, execs should face strong civil penalties and criminal charges. Their names should carry that scarlet letter of failure on their financial record for 7 years.

  2. Hold Companies Accountable Suspend business operations until verified secure. Fines are a rounding error. Only halting revenue gets their attention.

  3. Create a Watchdog Agency Establish a technical federal authority to audit, intervene, and, when needed, shut it all down. This agency should also help organizations comply & remediate, not just punish them after the fact.

⚙️ Responsibility of Technologists

I propose that we move toward a Decentralized Password Authority Network (DPAN).

Instead of relying on a single provider (Google, Meta, X) to authenticate someone, we use multiple semi-trusted or independently-operated authorities to validate credentials, passkeys, and even cryptographic assertions. These independent trust authorities are referred to as "Password Trust Authorities" or PTAs - they can run on any OS, and any device, and multiple PTAs are used to authenticate a request. And there's even a reward system for running one.

Think of it like this:

When you log in to something, it's just not one party that says "yes, you are Dave." but a quorum of known, independently-verifiable peers that are not backed by corporate interests. They do not know your password, they do not hold your password, they only provide proof-of-work to verify you are who you say you are.

This is a work-in-progress, which I will discuss further in a followup article, and it will fully address:

  • How applications integrate with the DPAN
  • How PTAs earn (and lose) trust
  • How those hosting PTAs are rewarded
  • How password hashes are verified
  • How users interact
  • How password transaction ledgers are verified (Ethereum)
  • How compromised or untrustworthy PTAs are removed from the DPAN