This post is an attempt to create an easy-to-use security model for the average internet user. Basically, how secure is someone’s current behavior with respect to passwords and authentication, and how can they improve?

People like moving up rankings, so let’s use that!

How to use this model

The idea here is for someone in the security community—or really any security-savvy user—to use this visual to help someone with poor password hygiene.

Here are a couple of ways you can do that.

Any improvement is good. Even one step matters.

Show Them Where They Are — The first way to use this model is to simply ask the user about their current behavior and show them where that ranks within these seven levels. If you show them they’re down at level 1 or 2, the combination of seeing how low they are in the chart and the color might convey some measure of concern.Show Them How to Move — Next, show them the various ways they can improve. As we discussed in this Twitter thread, keep in mind that you get the most benefit by moving from 4 and below to level 5, although they still need to do the previous steps. The next big jump comes when moving from 6 or below to 7.

Where one “should” be in this hierarchy depends on your threat model.

SummaryVisual maturity models can sometimes help people with their desire to improve.The highest security improvement one can get is by moving from any Level 4 and below—to Level 5 (SMS-based 2FA).The second-best security improvement is moving from Level 5 or 6—to Level 7 (Token-based 2FA).Try not to skip steps, i.e., it’s best to make the move to unique, quality passwords stored in a manager before you add 2FA.NotesThanks to Troy Hunt, Anton Chuvakin, and Tim Dierks for spawning the idea for this.Mar 24, 2021 — Thanks to Andrew R. Jamieson for making the suggestion to show what each level is vulnerable to.Mar 24, 2021 — Someone mentioned that there are higher levels of authentication out there, which I agree with, but this is specifically for everyday users.Mar 24, 2021 — We can pronounce the acronym as “Chasm”, as in, “Lets see how deep into the chasm you are…” 🙂Related posts:The Real Internet of Things: Details and Examples APIs are 2FA’s Achilles Heel Machine Learning is the New Statistics