Orin Kerr writes:
I am pleased to say that the Texas Law Review has published the final version of my article on how the Fifth Amendment applies to compelling a person to enter a password: Compelled Decryption and the Privilege Against Self-Incrimination. This article has roots in some blog posts that I wrote here at the Volokh Conspiracy a few years ago. Given the recurring and difficult nature of the question, I decided to expand considerably on the posts by writing the full article. It’s still relatively short by law review article standards, though, at a relatively svelte 33 pages.
Here’s the abstract:
This Essay considers the Fifth Amendment barrier to orders compelling a suspect to enter in a password to decrypt a locked phone, computer, or file. It argues that a simple rule should apply: an assertion of privilege should be sustained unless the government can independently show that the suspect knows the password. The act of entering a password is testimonial, but the only implied statement is that the suspect knows the password. When the government can prove this fact independently, the assertion is a foregone conclusion and the Fifth Amendment poses no bar to the enforcement of the order. This rule is both doctrinally correct and sensible policy. It properly reflects the distribution of government power in a digital age when nearly everyone is carrying a device that comes with an extraordinarily powerful lock.
Read more of his post on Reason.com.
Which is why you shouldn’t actually know all your passwords. Half should be in your brain and the other half stored somewhere else.
{brain part}+{non-brain part}
You wouldn’t know the actual password, but you would know how to construct it, if the other half were available.
This technique is only needed for very few passwords, since the other 100+ passwords that we need to know would be held inside a strong password manager and use 2FA with some hardware.
* Home Desktop login
* Work Desktop login
* Home disk unlock/decryption access
* Smartphone unlock/access
* Password manager access
So, a paper with 150 random sets of non-trivial length data on them, but not marked in any way combined with what you know in your head. Perhaps you’ve made a few patterns that are used to select which of those are used for different device logins.
NEVER put the entire password anywhere.
NEVER memorize the 2nd half of the password either.
Keeping it in your wallet next to the credit cards is probably sufficient security for most people.
For online accounts, enable 2FA using a $10-$20 hardware device that supports U2F or U2Fv2.
If you have your google login memorized, then it isn’t secure enough. That should be clear.
Credentials stored inside a password manager should be as long and complex as allowed by the website login. 50+ characters works almost everywhere. It isn’t like you’ll ever type it anyways.
For sites that don’t allow at least 20 characters (cough – banks!), then also randomize your login and make that as long as possible. I couldn’t tell you my brokerage account(s) login name, for example. I don’t know either half to username or the password.
None of this is much of a hardship and the added security is substantial.
IMHO.