What Passphrase Are You?
I went to prison. I don’t hide this. The shame has passed.
While I was gone, someone stole everything I owned in the physical world and then, for good measure, changed the passwords on most of my digital life. This included my GitHub account, moved my domain name across three registrars, my Google Workspace account tied to that domain name (as had been for 13 years), 2FA keys—you know, just about everything. I’ve gotten most of my digital accounts back—I’ve lawyered up for the personal stuff (some of which has been posted on Facebook Marketplace). I had backup codes printed on paper, but predictably that paper is gone, the passcodes are forgotten.
And so, I am forgotten.
I’ve spent the last several months proving I’m me. Over and over. To strangers.
In the name of security, we have removed ourselves as humans. We have redefined what a person is. A person is no longer a human being with a face, a name, a history, and a stack of corroborating evidence. We are not even DNA (can’t I just send you a sample?).
No, a person is a passphrase.
If you have the string, you’re you. If you don’t, you’re nothing—no matter what else you can produce.
What I could prove
The abstract version of this sounds like whining and the specific version is the actual problem.
For GitHub: I had the original phone number on the account. I could name endless private repos. I could tell you the commit count on one of them—6,992. I could tell you hardcoded strings in that repo. I could identify myself as the defendant in the case which GitHub received subpoenas for from the federal-fucking-government.
None of it was enough. The ticket response was a polite version of “we can’t confirm you are you.” I opened it; it went nowhere.
For my domain, josh.mn—held since 2012—I got it back. Obviously.
For Facebook, Instagram, my Google Workspace, the rest of it—I got those back too. Eventually. By grinding.
Had those accounts not been mine, the same recovery process I muscled through would have handed an attacker the keys to drain bank accounts, harvest identities from email recovery flows, and push a supply-chain attack through two packages that other people’s code depends on. The recovery process is the attack surface. It worked for me. It would have worked for someone pretending to be me.
That’s not a hypothetical. That’s the literal mechanism. The same door that let me back in is the door I’d have to defend against if I were anyone else.
To the passcode it may concern
Apple. Fucking Apple.
My late mother’s photos and documents are in an account I can identify down to the serial numbers on the devices—including the serials the federal government documented for me, because of how I ended up where I ended up. I have the email address associated with the account (okay, easy). I have more than 10 serial numbers associated with devices that have been on the account (less easy). I have a prison ID (ain’t ever seen someone trying to fake this one). I have my ID, my passport. I have a demand letter sent to the person who stole my property, their IP address, the date they changed the password, the date they deleted original passphrases. I have the date they removed my iPhone from my account—you know, all these dates were when I was in prison. (Caveat: not like it couldn’t have been done from prison, but it just makes it a little more harder to do.)
I can produce more corroborating evidence than most people could assemble for their own existence.
This shitshow cascades: I entrusted all my belongings—including my physical devices—to someone. She transferred my phone number out to a different carrier, changed my account’s passphrase, stripped my numbers off the account, and added hers. By the time I was out, the account had been quietly rebuilt around her and locked behind a string I never set, to a phone number I never controlled. I didn’t lose the passphrase. It was taken, along with everything else.
So that’s it. The answer is no. Not “let’s verify through another channel.” Not “let’s escalate to a human who can weigh the evidence and make a judgement call.”
Just no.
The passphrase is the person. I am not the passphrase. Therefore I am not the person.
And so the photos of my mother sit behind a string I can’t reproduce, and every other fact about me is deemed irrelevant.
Jesus Christ would be just as screwed, apparently
I lobbed this to multiple people who were assigned to my Apple “account recovery” case. Circa year 0, with iPhones and shit:
Jesus Christ gets mugged on his way to a river walk: his phone and wallet taken. While he’s on the chariot to the hospital, he’s SIM-swapped. He had a 2FA key in his wallet; the backups were written down in ink-ish stuff on a rock at his residence—no, not carved, sorry.
In Apple’s eyes, Jesus is no longer Jesus. Biometric records, a paper trail thousands of people could attest to—none of it counts. “Yeah, you’re Jesus, but you don’t have your passphrase, so you can’t be you.”
Not a person.
We’ve built a system where identity is a single point of failure and there is no human in the loop to catch the catastrophic case. “We have policies in place.” Those policies are made by reasonable humans who expect reasonable things to happen to reasonable people.
“But the alternative is account takeover”
Yeah, no shit. It’s a fair reflexive objection.
Yes—a recovery path that weighs evidence is a recovery path an attacker can try to walk. Social engineering is exactly this! Every “verify your identity” flow that isn’t a cryptographic secret is, in principle, defeatable by someone who collects enough of your facts.
But notice what the companies actually do. Google, Facebook, my domain registrar—the evidence path exists. It’s painful, it’s inconsistent; sometimes it’s staffed by people who’d rather say no than be the one who let an attacker in. But it exists, and it can succeed, which is precisely why it’s also an attack surface.
For GitHub, an affidavit that includes language of if this isn’t you we’re going to tell your probation officer. (I am not joking.)
Apple’s position is the opposite. There is no path. The passphrase or nothing. They’ve eliminated the social-engineering risk by eliminating the human entirely—and in doing so they’ve also eliminated me.
So the industry doesn’t actually agree that evidence can’t be weighed. Half of it weighs evidence badly and inconsistently. The other half refuses to weigh it at all. Neither of those is a designed answer. They’re just two different ways of not having solved the problem.
The part nobody wants to own
The honest version is this: weighing identity evidence at scale, for free, against motivated attackers, is genuinely hard. It costs money. It requires trained humans making judgment calls and eating the occasional expensive mistake. So the cheap move is to declare the passphrase sacred and the human irrelevant, and call it a security posture.
Liability-as-a-disservice under the guise of security.
Real security would say: a single secret should never be the only thing standing between a verifiable human and their own data. There is human error there.
Real security would build a graduated, evidence-weighing, human-reviewed path for the catastrophic case—device serials, government documentation, corroborating accounts, biometrics, an in-person option—and would price that path honestly instead of pretending it can’t exist.
In a thread announcing FTPgod drewh is stepping down CEO of Dropbox on Hacker News—on a thread about him retiring—I posted a comment begging for help, twelve days after I’d already emailed him (I have read receipts, drewh!). He reached out personally. That worked. I’m grateful.
But “get a billionaire’s attention on a news thread” is not an identity recovery system, just as HackerNews should not be every company’s support channel but it sure seems that way sometimes.
So, who are you?
It’s no longer “who are you?” instead it’s “what’s the string?”
A human is not a passphrase.
The moment we forgot that, we built systems that work perfectly right up until there’s an edgecase of an edge case. Nobody ever thought what if Jesus gets mugged, SIM-swapped, and his house torched?
I got most of my life back by being stubborn and, in one case, lucky. My Apple account is still locked behind a passphrase never set by me.
I’m just a passphrase.