I don't even have the ability to read my password manager's master key, since all passwords are encrypted with different AES keys, which is then encrypted with a private key I have no ability to read (only ask my smartcard to perform RSA on, if I can authenticate to it).
hunter2 supports the concept of users, which are named public keys so I can share individual passwords with other users. One of those other users can be a different smartcard or a different person who can then authorized my new card.
It's remembering one password vs X, and it is pretty hard to remember in my case, almost 4 months into using this password and I still struggle to type it in correctly sometimes
Yeah I was just kidding, I see what the parent meant.
Now I use a hardware token (yubikey) to store my PGP key so I can use a relatively weak PIN code on it (since you need to have physical access to the device to use it and you only have 3 attempts before it locks up). It's a pretty good quality of life improvement.
Then you better don't use it when you're fatigued or drunk. I nearly locked my SIM card once by not realizing until the third attempt that my phone was asking for the SIM card PIN rather than my lockscreen PIN.
There's also an "admin PIN" that can be used to unlock the key if something goes wrong. It's more complicated than my regular PIN and I didn't memorize it so that should be enough as a defensive measure against drunk me.
Well, unless I'm silly enough to try and bruteforce that PIN as well, after 3 failures I'd be left with an expensive piece of plastic... Fortunately I'm rarely that drunk.
EDIT: Actually as the sibling comment points out you can still reset the token even if you mess up the admin PIN. So at least you won't "brick" your token completely.
Well, the password manager master key encrypts a local file, so an attacker must have access to your machine first. And it's only one password to remember, as opposed to a high-strength password for every single site one uses.
>if you can remember your password, its probably too weak
As XKCD famously pointed out[0], Diceware[1]-style pass phrases can be both secure and memorable. XKCD's four word example isn't secure when fast brute-force attacks are feasible, but eight words is still easily memorable and secure enough for anything. The important point here is that "random words" really does mean "random", i.e. not picked by a human.
Just to add to the above comment, a diceware passphrase is MUCH harder to break than most people realize. For example, compare the possible number of combinations:
Diceware, 6 words 2.2 x 10^23
Diceware, 5 words 2.8 x 10^19
Diceware, 4 words 3.6 x 10^15
a-zA-Z0-9, symbols, 10 4.3 x 10^19
a-zA-Z0-9, 10char 8.4 x 10^17
a-zA-Z0-9, 8char 2.2 x 10^15
A 6 word diceware phrase has 100 million more combinations than the 8 character alphanumeric.
You might wish to consider these in terms of entropy, which is typically given in bits:
Diceware, 6 words 77 bits
Diceware, 5 words 64 bits
Diceware, 4 words 51 bits
a-zA-Z0-9, symbols, 10 65 bits
a-zA-Z0-9, 10char 59 bits
a-zA-Z0-9, 8char 50 bits
For any remote site, I recommend using 22 characters from [a-zA-Z0-9]; this is 128 bits, and is easily copy-pasteable.
It's highly amusing when a site tells me that such a password is insufficiently complex, given that it will never in the lifetime of the universe be guessed.
A 6 word phrase is also over 3x as long as an 8char password.
The entropy calculations are probably generous. The wordlist isn't as long as it looks, because some of the words are strange and people tend to re-roll if they get something like that. It's probably better to assume there's only 1000-2000 "words" people will safely combine.
The instructions explicitly tell you not to reroll strange words. Look them up or use them as a mnemonic. Or if you don't like the strangeness in the default diceware word-list, find a word-list you like better. (There are several alternatives including fun ideas like using a foreign language word-list and learning the pronunciations and meanings of those words.)
Also, the combinations list assumes that the attacker knows the method/word-list used to generate the password, which may not be foreknowledge the attacker has access to, especially in cases of giant many account password brute forcing attacks.
It should be clear that brute-forcing a passphrase is much more complicated than a PIN number, in the best case for you (worse case for an attacker).
Just because your passphrase may essentially be a PIN look up into a lookup table doesn't mean the attacker knows that or has access to the same lookup table.
You can also add additional entropy via punctuation or casing.
The point to a random passphrase is to try to avoid "human" mistakes like over favoring a subset of words, and rerolling words you don't like potentially makes your collection of passphrases more susceptible to analysis or social engineering (word association) attacks.
Like I said, it's generally better to pick a word-list you are comfortable with all the possible words than to subset a word-list you aren't entirely comfortable with.
The goal of something like Diceware is to be easy for humans to memorize but also still true random (see: xkcd's battery horse comic). If you don't need to memorize it, then yes, why not entirely generate a random sequence of letters/numbers/symbols/emoji.
This kind of assumes that you're trying to crack a password with the operating assumption that words are indeed not used, that every character is random, and that you wouldn't use some sort of word library to construct passwords.
No, it doesn't. It assume that you know exactly that the password is a Diceware password. The standard word list has 7776 entries, giving 7776^6 ~ 2.2*10^23 combinations for a 6 word passphrase.
But how many of these can you remember? I currently use almost fifty different passwords. I can't imagine committing fifty different pass phrases to memory.
That's what password managers are for. Just remember the password for the manager, plus maybe one or two critical accounts (e.g. email) and you're good to go. Let the manager deal with the complexity of generating and remembering random passwords.
I don't understand this response? A passphrase is easier to remember than a password. 50 passphrases may not be easy to remember, but they're easier than 50 passwords.
I thought password cracking machines now guess words as well as characters? Like they will guess all 8 character passwords and will also guess all 6 word passwords using common words like they guess characters? Therefore using just a few common words stuck together with nothing else is no longer secure? (This is a genuine question because I could be totally wrong on that, I can't even remember where I heard it)
"Probably" being key here. I still memorize all my passwords and the average one is about 30 characters long, with my "more secure" websites going 60+.
Oh, come on. All of them? If you're like me, that’s hundreds. Are you a memorization savant? Are you creating low-quality passwords? Mine are actually long and random (generated NOT by me and NOT four Dr Seuss words)
It wasn't always this way. I had horrible password standards as I'm sure most of us did when we started out on computers.
- If it's a website I couldn't care about, I use a simple password, probably a remnant from growing up.
- If it's a website I'm concerned about but knowingly won't use, I create a random password and clipboard it during initial creation/login, then every time I use the website I reset it (lazy man's password generator)
- If it's a website that I care about, like HN, I have a loose pattern that I follow that includes symbols and numbers (that's the 30ish character I was referencing). Every website is unique.
- Financial accounts have their own set of rules (unless it's stupid and has, say, an 8 character limit)
- My main email accounts get special treatment with an exceptionally long password.
- Use two-factor authentication wherever possible.
You just make up a story and use one of the knickknacks you keep near your workstation as a memory trigger.
For instance, if I needed a new strong password, I could use, "This#jar#once#held#1111#M&Ms,#but#now#it#is#empty."
The only thing I need to remember there is the story of the jar and the padding character I used in place of spaces. If I really had to, I could put "#" on a sticky note under the jar. But of course, I can't use that password now. So I might instead use "I(used(this(jar(as(an(example(on(HN." But now I can't use that one, either. So maybe I use "These!blinds!are!very!dusty.!!Someone!should!clean!them." or "My^dog^once^killed^a^dozen^baby^rabbits^in^the^tall^grass^I^didn't^want^to^mow." or "MyFgreatFauntsFhadFreallyFlongFhair."
I get really irritated when sites tell me I have to include numbers, uppercase, lowercase, and symbols in the same password. I get especially irritated when they put an upper limit on the number of characters, or ban certain characters from appearing in the password.
That's ludicrous. Is your workstation covered in sticky notes and knickknacks? Are you re-using these passwords? Do you have to buy a new knickknack for every new website you visit that requires a password?
One photograph can contain several virtual knickknacks. I usually don't use sticky notes, as I also make a mnemonic to relate the character to the story. For instance, a story about the beach could use '@' as a conch shell, or '*' as a sea star, or '$' as a sand dollar, or '~' for ocean waves.
But everyone has their own tricks for remembering things.
And I certainly don't make the effort for sites that I don't consider to be important. Those as often as not just get reset via e-mail whenever I forget my password.
It's amazing the lengths people will go to to justify not using a password manager.
Use a password manager. KeepassX is free, cross-platform, works on phones, does all that work for you, secures even your least-valuable accounts, does things right, doesn't store your passwords "in the cloud" and you'll get to keep applying your scheme to your master password.
And some people run marathons when they have a perfectly serviceable automobile. Remembering many passwords is not particularly remarkable. I am far more impressed by those who [uselessly] memorize thousands of digits of pi.
Why would anyone do that, when those digits can so easily be calculated or referenced from data files? Why do anything that is not strictly necessary? Why try to bench press more weight than last time? Why try to improve your chess game? Why learn a new programming language?
Because different people like different things. I am not required to like the things you like.
And I like proving to myself that I still can remember things without a helper daemon to keep track of them for me. I like that little bit of paranoid fantasy I have that makes me think that the men in black suits would have to take the pipe wrench to my kneecaps to get at my passwords, so I don't think about how the security at all these sites requiring password is so piss-poor that it would be easier to bypass all passwords in lieu of cracking just one of mine. In the end, the problem mentioned by the article is that very few people implementing computer security measures have any idea how to truly secure their data, so they do stupid shit like block clipboard pasting into password entry fields, or allow accounts to be hijacked by a spoofed SMS 2nd factor, or try to roll their own crypto without the requisite number of CS and math PhDs.
Yes, you could. That would be easier to remember, but also easier to guess. If your phrase is long enough, and unique enough, that wouldn't matter. The mere threat that it could be any character is enough to discourage most attackers.
Probably the best argument against spaces is the attack that listens to the sounds of your keyboard with a microphone as you type. As the space bar is a larger key, it sounds a distinctively lower note as you type, and would give even an unsophisticated attacker the means to determine the word lengths in your passphrase, which might reduce its entropy to something guessable within the lifespan of the universe.
Probably not a concern unless you might be targeted by someone with government-level resources.
I don’t have a problem with passphrases per se, but when people make them up via their noggin, they aren’t random and aren’t likely to include many obscure words. Using only common words dramatically reduces entropy. E.g., there are only 1 trillion passphrases of 4 words that can be constructed with the 1000 most common words, but a 12-character passphrase pulling from alphanumerics and the ~16 punctuation characters on your keyboard yield 50 sextillion permutations. That’s 50 thousand billion billion.
The argument I am making is that your average passphrase — yes, including "correct horse battery staple" — could be cracked a trillion times over before a password generated via 1Password would be!
"Dictionary attacks" aren't a magic spell. They're a form of brute forcing, as you seem to be aware.
If you're using about 8000 words, randomly chosen, then a 4 word passphrase is about the same as an 8 character random password. (And in fact, for 8k words, it's basically a direct substitution between 2 characters and 1 word.)
For most intents and purposes, 8-10 characters is fine, and 20 characters is enough to use as a cryptographic key. Similarly, 4-5 words is fine for most uses, and 10 words is enough to use as a cryptographic key.
So I'm not sure what you think isn't effective about passphrases -- they're just using a 2^13 sized alphabet instead of a 2^6.5 one, but either is capable of being used to write down a random string of bits.
if you can remember your password, its probably too weak