Is it safe to share your password security plan with others?


The recent epidemic situation has given me enough time to reconsider my password security seriously. I have devised a detailed plan for how to use elements such as a password manager, 2FA, U2F keys, etc. in conjunction with each other to create the optimal security architecture for my personal use (according to my rather limited knowledge of information security).

Now, the plan grew to such an extent that I decided to write it down as a document, so that I remember how certain parts of it work, why they are designed in a particular way, the weak points and so on. Is it safe to show this plan to, e.g. a friend who is also interested in strengthening their security? What about a hypothetical, extreme version – to share it online?

According to the Kerckhoff’s principle, the security of a system should not depend on its secrecy. That’s what I had in mind when designing my plan. I believe that anyone competent enough to try to break my system would also not be obstructed by the lack of knowledge of the design. Its strength relies on secret keys (and some informed use of MFA), also in agreement with the principle. However, I have seen on this site that sometimes users are scolded if they reveal a lot about how they organise their security in a question.

We can easily find how AES or public-key cryptography work in a few moments. That doesn’t prevent them from being widely used and considered safe. Would the same reasoning apply to my personal scheme?