Ok, so, I’m no expert, but there’s a real lack of pragmatic guidance regarding password managers and their use. Over time I realized that some of what I was doing was essentially a self-imposed version of security theater, and I think I found a good balance on usability and security. Here’s my advice:
- Randomly generated strings are better than passphrases for your master password.
This might seem counterintuitive, since passphrases can get a similar amount of entropy, while being more memorable. Here’s the thing though: they are much, MUCH, longer to type. Your master password is (ideally) the only password you’ll be typing, so optimizing for typeability is best. And regarding ease of memorization? It doesn’t really matter, you’ll only need to memorize the password once, while you’ll type it many, many times.
- 60 bits of entropy is all you need, realistically.
AFAIK, there’s never been a demonstration of a 60 bit password being cracked by brute force. It’s just not financially smart. If you have that much hashing power, you’ll probably be better off mining Bitcoin or something. There’s a reason why criminals get most of their passwords through phishing: it’s cost effective.
- Longer > Complex
This comes back to typeability, adding one or 2 characters often results in higher entropy than adding an entire character class, and the result is much, MUCH more typeable. Uppercase letters, in particular, take 2 taps to write in a mobile phone. A 14 character lowercase + digits password has a little bit more entropy than a 12 character uppercase + lowercase + digits password, at the same time, the 14 character password will likely need less taps in a smartphone, be easier to type with one hand, and be easier to copy.
- Don’t go overboard with your key derivation function.
If your smartphone password manage takes forever to unlock your database, it’s likely that your password manager is setup to do way too many iterations. Remember than a doubling in the number of iterations is equivalent to a bit of entropy in your password. Going from 0.1 to unlock your database to about a second gains you 3ish bits of entropy: it’s just not worth it
- The passwords in the database should be typeable too
It’s tempting to assume that, since you’re no longer typing these passwords regularly, having infinite passwords with large character sets is the way to go, but it’s not. The safest way to log into an account in a non-trusted device is to just look up the password in your phone and type it up. Those situations will come up, I promise.
On the other hand, having 70 bits and 120 bits of entropy in your passwords is functionally equivalent, since no-one’s cracking them anyway
Alright, so that’s all. What do you think? I’m no infosec expert, but I like to think that I do my research. Pretty much all the advice regarding password managers I’ve read emphasizes security above all else, sometimes to the point of irrationality, and I felt like a guide like this was needed.
deleted by creator
deleted by creator
Omg this is actually such good advice, I wish I read this before I started using one
Especially 5, it’s a really good point that I overlooked.
Well, here I go changing all my passwords again…
best post on lemmy to this day
deleted by creator
That’s why I use the battery-horse-staple-correct feature in 1Password xD
I plan to respond to this soon, with some in-depth explanations.
Yes that makes a lot of sense. I wish more IT people thought this way.
If hackers can sometimes access your account, that’s bad security. I you sometimes cannot access you’re account, that is also bad security. But many people forget that.
deleted by creator
deleted by creator