A ratchet is a wonderful device and a powerful metaphor. For the device, from Wikipedia:

A ratchet (occasionally spelled rachet) is a mechanical device that allows continuous linear or rotary motion in only one direction while preventing motion in the opposite direction. Ratchets are widely used in machinery and tools. The word ratchet is also used informally to refer to a ratcheting socket wrench.

The Wikipedia page has illustrations and even an animation (used below). The operating principle is simple enough.

animated image of a simple ratchet

The metaphor is similar: circumstances are set up so that if you do a thing, your situation changes, and it’s hard to go back. As an example, if you buy a machine that lets you produce more widgets per month, you can use the profit from selling those widgets to buy a second machine, and then a third, and so on. As long as you can sell all the widgets you produce, buying machines is a way to turn your weatlh ratchet. Seth Godin, the author, podcaster, entrepreneur, and marketing thinker, tends to use the ratchet metaphor often.

I’ve become fond of using the metaphor for computer security. If you make a computer or system more secure, that’s an improvement, even if the system is still not perfectly secure. Once you’ve made a small improvement, you can build on that to make the next improvement. Turn by turn, the ratchet tightens your security more.

I think of the security ratchet every time I talk to one of the security-minded geeks for whom security must be absolute lest it be pointless. You may have encountered such: there’s not point in using PGP unless you keep your private key on a hardware token, inside a vault, buried under a mountain, guarded by former US Navy Seals turned mercenaries.

Whereas I think using PGP at all is an improvement over not using it, even if you use a weak key without a passphrase. Once you’ve got that far, you can, if you want or need to, easily turn the ratchet a few times: add a passphrase, switch to a stronger key, use a hardware security module to store it, use a new subkey for every encrypted file, and so on.

PGP is an example here. If you don’t like PGP, consider SSH instead. Using SSH at all is better than using rsh or telnet, even if you still user passwords to authenticate. Turning the ratchet improves things: use keys, use stronger keys, use keys that require a hardware security token, use SSH CA user certificates. And so on.

The goal is to have a threat model, implement defenses based on that model, and then iterate to improve as needed.