Password politic

Hie, I'm doing through a new installation of my system, and I wanted to look out password management. I obv. use pass to store my passwords, but the problem is for the actual root/pass passwords. A lot of bullshit is going on the internet, and I don't know what to really do.
I used to pick up sentences from books I like, while adding random uppercase words; but I don't know what to do today.
Is the dice thing still a thing?

Other urls found in this thread:

Learn the method of loci. It's easy enough to learn. Then just keep all your long and complex passwords in your head. It's a bit more effort than outsourcing, but I don't trust password managers.

None of them are secure, remember your password in your head for best security.

Why don't you trust pass?
I mean, you can't beat 64 totally random characters long pass...

Yes you can, it's called memorizing the password so no one can brute force your password manager for that 65 key long pass.

I'm not a trusting person. Also, as I said, look into the method of loci. With some practice you can easily remember 64 random characters.

you can write a minimal password manager yourself.
and anyway you have to trust your browser to not send the passwords elsewhere. unless you manipulate network packets with your bare hands, this is an invalid point.

If that's the case, why simply not putting a key on an usb key and use it to log in?
I mean, passwords are starting to be unpractical, and quantum computing will definitively destroy today's passwords...

True. I consider all passwords that traverse the botnet as potentially compromised. But what can you do? I'm not saying not to use a password manager, just that I personally don't. I still think it's a good idea to learn to remember shit, because it's still good for some important passwords, like the key to your password manager, your root, your crypto wallet or things like that.

That's actually the first time I see someone saying that he remember *by its bear hand* 64 long random characters pass...
I already have trouble remembering the 30 first pi decimal...

of course, but it'd be stupid to memorize passowrd for every stupid shitsite
I for example keep only 2 passwords in memory, and others I don't have to.

what counts is amount of bits. you need >80 bits, and how are they encoded it doesn't matter. they can even be in form of random words from a dictionary but that would be long.

thanks a lot. First to explain me that it's possible to remember such passwords. Second to give a length to respect.

Wait, so you still use a password manager?

Really? That's a pretty entry level amount of memorization among people who practice this stuff.

Yep. I have three for important stuff.

yes, but one which (hopefully) doesn't ever connect to the Internet. it's only for storing passowrds.
less important passwords are saved in browser.
and I use hand written script to generate them, which in turn gets random data from /dev/urandom.
I think it's enough for my threat model.

That's the thing: I never ever practiced it.
I should get started.

I had no problem memorizing ~80 bits, encoded as alphanumeric characters. But not everybody can do this easily.

It's a skill that will serve you well in many aspects of life, not only with passwords. It seems daunting at first, but keep in mind that like everything, you get better and faster as you progress.

You know, I've been teaching people this shit for years. Many people say that "not everyone can do this," but I've found that everyone I've tried to teach it to have learned it, and pretty easily as well. But the thing is, people have variation in what they are good at.

Some people are better at spatial memory, some are better at emotional memory and so on. If you find you can't do it, read some other variations on the method (of which there are many.)

I had this kind of pass before: 45)2$fgtbr)t(hNe
I actually only remembered it by hand...

Ctrl+F hardware password manager Phrase not found
tl;dr use Pastilda.

just take something you'll remember easily and add an arbitary number of repeating characters before it:


Should probably point out, the e->3 subsitution is by habit. It's something all bruteforcing methods are designed to easily account for.

shit method tbh

Use KeepassXC

shit thread

Make your shit 16 characters, minimum.

I usually take a sentence and make it my password, with some tweaks and numbers.

This is my password becomes:
..THIS is_my Passw0rd!!

I take a long quote I remember, change it slightly, and add characters in a manner that I can remember

For example:
Jack!and)[email protected](Up#a*Hill

Yes there's patterns and it's a quote, which is bad. The patterns are not common and the way the quote is written out make it incredibly difficult.

I do this: z85_encode(TupleHash128(("supersecretmasterpassword", "Levi Goldberg", "", "current year + 3"), 128, ""))

Draw a pattern on your keyboard with your finger, like a line across and a few going up and down. So easy to remember and easily thirty or fifty characters long.

If you aren't generating random passwords and usernames for every website you visit, you're browsing wrong.

Do you have any learning materials that I can use? I've got an awful memory for details.

sorry for the long post but I too have been very captivated by password generation and password management for the last month or so.

at the risk of being one of those idiotic shills. I made my own password app thing. I get how other people feel in ITT. I don't trust others because we as humans are flawed and I'd rather that I get pwned by my own stupidity than someone else's over sight.

I wrote down some methods I use to generate passwords in my read me...

To save you a lot of reading and guessing WTF I wrote and having to bother go to another shit page:

- Use passphrases (eg. "Narcotic Truck Penpal Upriver Abe Drunken" )
* How you pick words is up to you (dice ware is great, some people use to get the entropy they need to pick words, and well I just use /dev/urandom; I know some may take issue with that)
* OFC add some modifiers (add a digit or two, replace the spaces with a sign, or something along that manner)
* Store them how you feel is best. a lot of people use GPG, I use AES+sha512 for basic integrity, other people I know AFK have a tiny password notebook in their wallet. These methods are all sound IMO.

- Hash based password generators are also great (eg. 3NarcoticzTruckzPenpalzUpriverzAbezDrunken0 | cecece)
* BUT you need a method to both have a long master passphrase but also an easy way to keep track of changes to the hash password if say like a site gets pwned
* Some people use a simple number counters, others use a pin, and I find myself using hex colors. (I just need just to change 1 character to get a new hash and can organize in my head which character I decide to change or can change the color all together)

- How you store the password determines how safe it is but generally speaking you want to layer your security to keep adversaries out
* If you use LUKS and keep your passwords on say like an airgapped single board computer. your set.
* if you use a password notebook and don't let it leave your sight. even better.
* if you use LUKS on a drive and sync your password files directly to other devices via syncthing or git, git annex... well the security is based on the least used/updated device. (so like why have LUKS and syncthing if one of your devices is a tablet will get security updates that are a year old?)

in case you are curious. Its not hard to roll your own password app.