Passwords as Infohazards, an Analogy
To help you think about information hazards in biosecurity
Information hazards (infohazards) are frequently discussed in biosecurity, and can be defined as risks arising from the dissemination of (true) information that may cause harm or enable harm to be caused, or the generation of such information that may therefore be disseminated. It’s a concept that I believe can be very intuitive, but perhaps more so when you go away from academic descriptions a little.
In brief: Not all true information should be shared, and some of it can cause harm if it is. But you know this already. To illustrate using an analogy, your password is true information, and can be used to unlock your account (perhaps even more accounts than one might like if you use the same password for multiple things…). So, who should know your password?
Sharing knowledge: Should other people know your password?
Sometimes, sharing your password makes sense. You don’t need to pay for as many Netflix subscriptions, or multiple people can respond to emails to the hello@ email account for your project.
But sometimes people really shouldn’t know your password. This is true even with additional security features. I’m not sharing my banking password with anyone, even if I’ve got two-factor authentication on the thing! In terms of risks vs payoffs, it’s not worth it.
Part of it is trust - how much do you trust the person you are sharing your password with? Part of it is consequences. Sharing your Netflix password might mean that you are mildly embarrassed by people judging your viewing history1. Sharing your banking password might mean that you very quickly no longer have money in that account.
So maybe you shouldn’t let other people know your passwords in that case.
Generating knowledge: Should you know your password? (sort of)
Quick, think of a password that you haven’t used for anything. What makes a strong password anyway? Not one that I can easily remember, that’s for sure - at least 8-12 characters including a combination of upper- and lowercase letters, numbers and symbols2. Using patterns or slight variations for passwords across different websites makes it easier to remember, but… well… it is not the most secure. So, ideally, it needs to be unique, rather than just changing out parts of it. People have clocked on that this isn’t very easy and now often recommend using a memorable phrase3, e.g. three random words strung together. Great, perhaps I can do the latter. But now spread that over the 100+ accounts one can easily end up with4. And what was that password that I told you to remember again?
But let’s say you have remembered that password, and you somehow manage to remember 100+ unique strong passwords across all of your multiple accounts. Social engineering involves tricking people into sharing private information such as passwords, or otherwise compromising their security. It makes up around 70% - 90% of cyberattacks by one estimate, whereas another estimate says that around 91% of cyberattacks start with a phishing email. Without looking into either of these numbers further, I can be fairly confident that the numbers are pretty large. What happens if you then confidently (or absentmindedly) enter your maybe-secure password into an insecure link? Oops, you have shared your password, see the section above.
It’s perhaps easier (and safer) to just not know this information yourself and get a password manager to do it for you. Those things may flag if you are on an alternative dodgy site if the password doesn’t come up automatically5, and even if they don’t, it increases the number of clicks you need to go through before getting the password you want to enter into the fake login field, giving your brain time to turn back on.
So maybe you shouldn’t even know your own passwords in that case.
Where an analogy falls down
Scale of the potential consequences and ability to change shared passwords aside, parts of this analogy may be a bit of a stretch - ‘generating’ knowledge more so than ‘sharing’ knowledge, in part as the passwords still exist in the password manager even if you have no clue what they actually are.
A big risk of generating new information may also be how it combines with other information that is already available, to cause harm that could not be caused before. Although perhaps the analogy could be extended to someone somehow having just your password, then not being able to log in until they also find your username, I can’t see this actually happening in cybersecurity all that much.
And what about the information that is safe to be open access? I suppose that could fit onto anything that you post publicly about yourself online, without a password there at all. Or institutional requirements or review processes? I don’t know, maybe organisational password policies or admin access that can reset your passwords. This part of the analogy is clearly being retrofitted.
At any rate, I hope this has got you to think a bit about infohazards… and getting a password manager if you don’t already have one.
To learn more about infohazards in biosecurity, I would recommend any of the sources linked in the first paragraph, and this paper in particular to get a good overview.
The cover image of this post has been created using AI on Canva.
I’d use Paypal rather than saving card details though so there’s another login before wider spending, just in case.
Source: most websites when creating accounts, excluding those that don’t let you use symbols in the password for some reason.
Including Microsoft, whose advice simultaneously includes “Not a word that can be found in a dictionary or the name of a person, character, product, or organization.” AND “Easy for you to remember but difficult for others to guess. Consider using a memorable phrase like "6MonkeysRLooking^"” as well as the above character, case, number and symbol recommendations.
Conservative estimate - I counted 20 on my password manager and I’m still in the ‘A’s.
Not cybersecurity advice.