Ok, so, I’m no expert, but there’s a real lack of pragmatic guidance regarding password managers and their use. Over time I realized that some of what I was doing was essentially a self-imposed version of security theater, and I think I found a good balance on usability and security. Here’s my advice:

  1. Randomly generated strings are better than passphrases for your master password.

This might seem counterintuitive, since passphrases can get a similar amount of entropy, while being more memorable. Here’s the thing though: they are much, MUCH, longer to type. Your master password is (ideally) the only password you’ll be typing, so optimizing for typeability is best. And regarding ease of memorization? It doesn’t really matter, you’ll only need to memorize the password once, while you’ll type it many, many times.

  1. 60 bits of entropy is all you need, realistically.

AFAIK, there’s never been a demonstration of a 60 bit password being cracked by brute force. It’s just not financially smart. If you have that much hashing power, you’ll probably be better off mining Bitcoin or something. There’s a reason why criminals get most of their passwords through phishing: it’s cost effective.

  1. Longer > Complex

This comes back to typeability, adding one or 2 characters often results in higher entropy than adding an entire character class, and the result is much, MUCH more typeable. Uppercase letters, in particular, take 2 taps to write in a mobile phone. A 14 character lowercase + digits password has a little bit more entropy than a 12 character uppercase + lowercase + digits password, at the same time, the 14 character password will likely need less taps in a smartphone, be easier to type with one hand, and be easier to copy.

  1. Don’t go overboard with your key derivation function.

If your smartphone password manage takes forever to unlock your database, it’s likely that your password manager is setup to do way too many iterations. Remember than a doubling in the number of iterations is equivalent to a bit of entropy in your password. Going from 0.1 to unlock your database to about a second gains you 3ish bits of entropy: it’s just not worth it

  1. The passwords in the database should be typeable too

It’s tempting to assume that, since you’re no longer typing these passwords regularly, having infinite passwords with large character sets is the way to go, but it’s not. The safest way to log into an account in a non-trusted device is to just look up the password in your phone and type it up. Those situations will come up, I promise.

On the other hand, having 70 bits and 120 bits of entropy in your passwords is functionally equivalent, since no-one’s cracking them anyway

Alright, so that’s all. What do you think? I’m no infosec expert, but I like to think that I do my research. Pretty much all the advice regarding password managers I’ve read emphasizes security above all else, sometimes to the point of irrationality, and I felt like a guide like this was needed.

    • SeerLite
      link
      fedilink
      33 years ago

      Especially 5, it’s a really good point that I overlooked.

      Well, here I go changing all my passwords again…

  • Dreeg Ocedam
    link
    fedilink
    53 years ago

    In addition, to actually crack a password you need access to a hash. This means that you first need to have a website leak its database. But since you’re already not reusing any password, the damage is already done. Since they have access to the password DB they likely already have all your data on the website, which means that thr password won’t give then access to any new info.

    Note that it obviously isn’t true for your master password.

  • @TheAnonymouseJoker@lemmy.ml
    link
    fedilink
    3
    edit-2
    3 years ago

    Good stuff, people really do not understand IT security 101 is what I keep concluding everytime. Every damn time. And that is how I make my guides that get in trend.

  • @roastpotatothief@lemmy.ml
    link
    fedilink
    33 years ago

    Yes that makes a lot of sense. I wish more IT people thought this way.

    If hackers can sometimes access your account, that’s bad security. I you sometimes cannot access you’re account, that is also bad security. But many people forget that.