Password politic

Leo Barnes
Leo Barnes

Hie, I'm doing through a new installation of my system, and I wanted to look out password management. I obv. use pass to store my passwords, but the problem is for the actual root/pass passwords. A lot of bullshit is going on the internet, and I don't know what to really do.
I used to pick up sentences from books I like, while adding random uppercase words; but I don't know what to do today.
Is the dice thing still a thing?
thanks.

Other urls found in this thread:

git.joepcs.com/r/gpass/b/master/t/f=README.html

Tyler Howard
Tyler Howard

Learn the method of loci. It's easy enough to learn. Then just keep all your long and complex passwords in your head. It's a bit more effort than outsourcing, but I don't trust password managers.

Juan Brooks
Juan Brooks

None of them are secure, remember your password in your head for best security.
/thread

James Mitchell
James Mitchell

Why don't you trust pass?
I mean, you can't beat 64 totally random characters long pass...

Jackson Martinez
Jackson Martinez

Yes you can, it's called memorizing the password so no one can brute force your password manager for that 65 key long pass.

Lincoln Gray
Lincoln Gray

I'm not a trusting person. Also, as I said, look into the method of loci. With some practice you can easily remember 64 random characters.

Luke Torres
Luke Torres

I'm not a trusting person
you can write a minimal password manager yourself.
and anyway you have to trust your browser to not send the passwords elsewhere. unless you manipulate network packets with your bare hands, this is an invalid point.

Noah Lopez
Noah Lopez

If that's the case, why simply not putting a key on an usb key and use it to log in?
I mean, passwords are starting to be unpractical, and quantum computing will definitively destroy today's passwords...

Luis Howard
Luis Howard

True. I consider all passwords that traverse the botnet as potentially compromised. But what can you do? I'm not saying not to use a password manager, just that I personally don't. I still think it's a good idea to learn to remember shit, because it's still good for some important passwords, like the key to your password manager, your root, your crypto wallet or things like that.

Jeremiah Allen
Jeremiah Allen

That's actually the first time I see someone saying that he remember *by its bear hand* 64 long random characters pass...
I already have trouble remembering the 30 first pi decimal...

Cooper Wright
Cooper Wright

of course, but it'd be stupid to memorize passowrd for every stupid shitsite
I for example keep only 2 passwords in memory, and others I don't have to.
what counts is amount of bits. you need >80 bits, and how are they encoded it doesn't matter. they can even be in form of random words from a dictionary but that would be long.

Charles Mitchell
Charles Mitchell

thanks a lot. First to explain me that it's possible to remember such passwords. Second to give a length to respect.

Colton Davis
Colton Davis

Wait, so you still use a password manager?

Angel Brooks
Angel Brooks

Really? That's a pretty entry level amount of memorization among people who practice this stuff.

James Walker
James Walker

Yep. I have three for important stuff.

Nicholas Hill
Nicholas Hill

yes, but one which (hopefully) doesn't ever connect to the Internet. it's only for storing passowrds.
less important passwords are saved in browser.
and I use hand written script to generate them, which in turn gets random data from smth.like /dev/urandom.
I think it's enough for my threat model.

Benjamin Edwards
Benjamin Edwards

That's the thing: I never ever practiced it.
I should get started.

Nathaniel Jones
Nathaniel Jones

I had no problem memorizing ~80 bits, encoded as alphanumeric characters. But not everybody can do this easily.

Kevin Sullivan
Kevin Sullivan

It's a skill that will serve you well in many aspects of life, not only with passwords. It seems daunting at first, but keep in mind that like everything, you get better and faster as you progress.

You know, I've been teaching people this shit for years. Many people say that "not everyone can do this," but I've found that everyone I've tried to teach it to have learned it, and pretty easily as well. But the thing is, people have variation in what they are good at.

Some people are better at spatial memory, some are better at emotional memory and so on. If you find you can't do it, read some other variations on the method (of which there are many.)

Ryan Scott
Ryan Scott

I had this kind of pass before: 45)2$fgtbr)t(hNe
I actually only remembered it by hand...

Dominic Collins
Dominic Collins

Ctrl+F hardware password manager Phrase not found
tl;dr use Pastilda.

Alexander Morgan
Alexander Morgan

just take something you'll remember easily and add an arbitary number of repeating characters before it:

AnalB3ads
becomes
................AnalnB3ads
or
aaaaaaaaaaaaaaaaAnalB3ads

Jack Smith
Jack Smith

Should probably point out, the e->3 subsitution is by habit. It's something all bruteforcing methods are designed to easily account for.

Julian Lewis
Julian Lewis

shit method tbh

Lincoln Young
Lincoln Young

Use KeepassXC

Cooper Rodriguez
Cooper Rodriguez

shit thread

Zachary Gutierrez
Zachary Gutierrez

Make your shit 16 characters, minimum.

I usually take a sentence and make it my password, with some tweaks and numbers.

This is my password becomes:
..THIS is_my Passw0rd!!

Connor Scott
Connor Scott

I take a long quote I remember, change it slightly, and add characters in a manner that I can remember

For example:
Jack!and)[email protected](Up#a*Hill

Yes there's patterns and it's a quote, which is bad. The patterns are not common and the way the quote is written out make it incredibly difficult.

Jeremiah Butler
Jeremiah Butler

I do this: z85_encode(TupleHash128(("supersecretmasterpassword", "Levi Goldberg", "facebook.com", "current year + 3"), 128, ""))

Angel King
Angel King

Draw a pattern on your keyboard with your finger, like a line across and a few going up and down. So easy to remember and easily thirty or fifty characters long.

Luis Walker
Luis Walker

If you aren't generating random passwords and usernames for every website you visit, you're browsing wrong.

Grayson Gonzalez
Grayson Gonzalez

Do you have any learning materials that I can use? I've got an awful memory for details.

Ayden King
Ayden King

sorry for the long post but I too have been very captivated by password generation and password management for the last month or so.

at the risk of being one of those idiotic shills. I made my own password app thing. I get how other people feel in ITT. I don't trust others because we as humans are flawed and I'd rather that I get pwned by my own stupidity than someone else's over sight.

I wrote down some methods I use to generate passwords in my read me...

To save you a lot of reading and guessing WTF I wrote and having to bother go to another shit page:

- Use passphrases (eg. "Narcotic Truck Penpal Upriver Abe Drunken" )
* How you pick words is up to you (dice ware is great, some people use random.org to get the entropy they need to pick words, and well I just use /dev/urandom; I know some may take issue with that)
* OFC add some modifiers (add a digit or two, replace the spaces with a sign, or something along that manner)
* Store them how you feel is best. a lot of people use GPG, I use AES+sha512 for basic integrity, other people I know AFK have a tiny password notebook in their wallet. These methods are all sound IMO.

- Hash based password generators are also great (eg. 3NarcoticzTruckzPenpalzUpriverzAbezDrunken0 | cecece)
* BUT you need a method to both have a long master passphrase but also an easy way to keep track of changes to the hash password if say like a site gets pwned
* Some people use a simple number counters, others use a pin, and I find myself using hex colors. (I just need just to change 1 character to get a new hash and can organize in my head which character I decide to change or can change the color all together)

- How you store the password determines how safe it is but generally speaking you want to layer your security to keep adversaries out
* If you use LUKS and keep your passwords on say like an airgapped single board computer. your set.
* if you use a password notebook and don't let it leave your sight. even better.
* if you use LUKS on a drive and sync your password files directly to other devices via syncthing or git, git annex... well the security is based on the least used/updated device. (so like why have LUKS and syncthing if one of your devices is a tablet will get security updates that are a year old?)

in case you are curious. Its not hard to roll your own password app.
git.joepcs.com/r/gpass/b/master/t/f=README.html