Use your phone as a thin client. For instance, dont install email software but instead use a webmail interface via a secure browser. That way when they unlock the phone they dont get your email. The airport cop might see a bookmark to an email service but will still have to ask you for login details, giving you control over which account they see.
This is a hard balance, though. Using unique, randomly generated passwords for the 30 or so sites I routinely use is safer against breaches, but starts to almost require a password manager, which presumably can be broken if someone is already exfiltrating secrets from your phone.
In my opinion, the only route to actually make this work and still be good against breaches is to memorize a function that generates a unique password given the website name. If you type it enough you’ll eventually memorize it, otherwise you can just use that function to figure it out more slowly.
Not to mention that if you have access to my texts a lot of sites will just let you reset my password.
> In my opinion, the only route to actually make this work and still be good against breaches is to memorize a function that generates a unique password given the website name
That's a bad idea. If one guesses your function, all your passwords are gone and it's not very hard.
That's a compromise. The best idea is to memorize a totally unique machine-generated password for each separate site and service. But there can't be more than a handful of people in the world with the skill and drive to do that correctly. There needs to be some degree of tradeoff with accessibility, or you're just designing security for spherical cows in a vacuum.
I think a security savvy person using the function approach correctly is in much better shape than most people, and indeed most security professionals.
But is this about website account breeches or the FBI unlocking phones? There is no omni-answer to privacy. My recomendation was only to address the threat of law enforcement unlocking devices, not securing one's accounts on dozens of random websites.
There’s a key word that, I think, further validates what you said above and that I missed considering in my post. “Random” assumes one has equal security for everything, when there are things like email or cloud storage in general that should be protected above and beyond.
If the password is ever exposed via a breach, generally smart people can pick up on that pattern and then all of your passwords are cracked.
There are ways you could alter the pattern, maybe a separate short salt for each site in addition to the domain, so all you need to remember is the salt, like "dog" for pets dot com, that could make it a bit more secure. Or vary how you combine the master PW and the domain (i.e. count the number of letters in the domain and insert the domain starting with that number, or each letter of the domain that many characters appart embedded into the master PW.)
Or...just use random passwords, a password manager, and make sure you both trust the provider of the password manager (or use one you control) and use a super high security password as your master password in addition to other forms of authentication. And never let it allow you to stay logged in to your password manager.
I personally use a password manager except in a few physical cases where I use the function approach or have just directly memorized the PIN (iPhone, YubiKey pre-fingerprint).
The function approach is a normal password, just that it scales O(1) with your memory for O(N) passwords. The expectation is that if you have a complex enough function it will be non-trivial to back-fit it, this doesn’t necessarily hold for any arbitrary function, of course.
