Rule 01
Unique secrets beat clever secrets
A mediocre random password that is unique per site is far safer than a clever personal pattern reused everywhere. Uniqueness is the real force multiplier.
Guide
Vault Doctrine
A short operational doctrine for the human layer: unique passwords, password managers as the default platform, recovery flows treated as part of authentication, and passkeys deployed where compromise hurts most.
Core Rules
Rule 02
The password manager is the operating system
The vault is where account security starts: generation, autofill, breach monitoring, and secure sharing all live there. Human memory should not be the core defense layer.
Rule 03
Recovery paths are part of authentication
Backup email, phone numbers, helpdesk flows, and recovery codes need the same scrutiny as the primary password. Attackers often choose the easier side door.
Rule 04
Passkeys belong on your highest-value accounts first
Primary email, cloud admin, finance, source control, and identity providers should be first in line. Those accounts determine what else can be reset or impersonated.
Operating Principle
Identity security is a system, not a field on a login form
Passwords, MFA, backup codes, device trust, and helpdesk resets should be treated as one control surface. Attackers do not care which piece fails first.
Team Practice
Shared secrets belong in managed vaults
If a team credential is copied into chat, plain text docs, or screenshots, it is already drifting away from control. Vault-based sharing creates revocation and auditability.