Diceware is a password locker?

I like the CorrectHorseBatteryStaple methodology.

Password Strength

xkcd (xkcd.com)

Diceware is a method of generating random memorable passwords.

“Password must be between 8 and 12 characters” ‍️

Basically what diceware does. It’s just that humans are really bad at picking random words (“banana” is over represented, for instance) that’s what diceware helps with.

Just got done investigating a spambot we had earlier, and it looks like they used a lot of compromised accounts on other instances to give their post an initial upvote boost. If you don’t already, please remember to use a good strong password. Keeping your account secure helps reduce spam across the whole of lemmy, and keeps your account from getting banned for things you didn’t actually do.

I recommend Diceware! I use it in my professional capacity as an IT/Security person, and also you get to use your mathrocks!

EDIT: Oh, also, all that numbers and symbols shit is no longer considered good practice. Just make it a really long collection of random words, at least 12, ideally 16+ characters. And make sure the words are actually random; your 3 favorite sports teams isn’t good enough, which is why I recommend diceware.

I like the CorrectHorseBatteryStaple methodology.

Password Strength

xkcd (xkcd.com)

Password managers are OK but I have hesitations on them personally. I’m leery of putting all my most high-value stuff in one place behind one password. What I do instead is memorize a truly unreasonable amount of passwords, though, which I recognize is not a reasonable expectation for others. For threat models in which you’re not worried about in-person attacks, it may actually be a good idea to just write your passwords down, maybe keep your password book in something with a lock on it. I’m not advocating for any particular method, just putting it out there so people can make an informed decision.

Just got done investigating a spambot we had earlier, and it looks like they used a lot of compromised accounts on other instances to give their post an initial upvote boost. If you don’t already, please remember to use a good strong password. Keeping your account secure helps reduce spam across the whole of lemmy, and keeps your account from getting banned for things you didn’t actually do.

I recommend Diceware! I use it in my professional capacity as an IT/Security person, and also you get to use your mathrocks!

EDIT: Oh, also, all that numbers and symbols shit is no longer considered good practice. Just make it a really long collection of random words, at least 12, ideally 16+ characters. And make sure the words are actually random; your 3 favorite sports teams isn’t good enough, which is why I recommend diceware.

I’m leery of putting all my most high-value stuff in one place behind one password.

Password managers (at least the non-browser based ones) use methods provided by the OS to protect themselves from screen recording, direct memory reading and keyboard-sniffing. Most password managers can also be set up to require a keyfile and/or physical passkey to unlock their databases.

A keyfile stores data necessary for decryption separate from the password database and means someone couldn’t get into your passwords even if your database was stolen and they knew the master password (assuming you stored your keyfile separate from the database - the file and its location should be treated like a password itself). A keyfile also lets you keep your database on cloud storage while manually transferring the key to trusted devices, allowing cloud syncing of your passwords without fear of leaks - without the keyfile it’s all just random data.

A physical passkey makes it virtually impossible to breach the database unless someone steals the USB device, since it uses a challenge-response model and the data needed to spoof it should never leave the device.

these are called pass phrases and yes, they tend to be way more secure at least until quantum computers render all traditional cryptography meaningless.

Well good news then, because even throwing every quantum computer currently on the planet is not enough to factor 2048-bit RSA, and likely won’t be in any currently alive human’s lifetime.

I guess what I mean is, it’s a single point of failure. Usually an extremely strong one, granted.

these are called pass phrases and yes, they tend to be way more secure at least until quantum computers render all traditional cryptography meaningless.

Basically what diceware does. It’s just that humans are really bad at picking random words (“banana” is over represented, for instance) that’s what diceware helps with.

until quantum computers render all traditional cryptography meaningless.

I’ll cross that bridge when it actually happens.

I look around the room or think about what I’m doing. My username was made that way.

And your memory is not a single point of failure?

Well, no, not really. If I forget a password I’ve only lost access to the one site, and it’s recoverable. Just an partial failure. Not going to lose everything unless I literally die in which case I don’t care about anything anymore. And no one is going to breach my brain short of tying me to a chair, and that’s not really my threat model.

Password managers are OK but I have hesitations on them personally. I’m leery of putting all my most high-value stuff in one place behind one password. What I do instead is memorize a truly unreasonable amount of passwords, though, which I recognize is not a reasonable expectation for others. For threat models in which you’re not worried about in-person attacks, it may actually be a good idea to just write your passwords down, maybe keep your password book in something with a lock on it. I’m not advocating for any particular method, just putting it out there so people can make an informed decision.