This is a sort of continuation of a previous topic I posted. This weekend I will be wiping and reinstalling my computer and encrypting all of my drives in the process. In doing so, I will have to choose secure passphrases. As such, I have some questions about how best to do this:

1. I have three drives that will be encrypted. Is it okay to have the same passphrase for all of them, or should I have different ones for each?

2. In looking up info on this topic, I came across this article which recommends something called a Diceware wordlist. The premise is that you roll dice which match to a list of 7000+ words. You then string six or more of these words together which become your passphrase. Is this a sound way to generate one?

3. Rather than using the Diceware wordlist, couldn't I roll my own password of the same type using six "random" words of my choosing? I feel like that would be easier to remember, but am I weakening security in doing so?

4. If the Diceware method is to be trusted, does that mean I do not need to pepper my passphrase with digits, mixed case, and special characters? Or should I add these anyway?

5. I'm also considering changing over passwords on a lot of my online accounts based on this method. I like the idea of using a single passphrase as a root, but how do you modify it so that it is different for each account? Would I do something like [dicewarewords]tildes, [dicewarewords]spotify, [dicewarewords]ubuntuforums, etc.? I feel like it would be too on-the-nose, and it would make it easy to guess my other passwords if one were compromised. On the other hand, I don't like the idea of using a password manager to generate a random string for me. I'd like to still be able to login even without my password manager.

6. For people that have used something like this, how do you then deal with password restrictions on sites? I know that no matter how great I set things up I'm still going to have to make exceptions for sites that that either require or forbid numbers, mixed case, or special characters, have character limits, or make me change my password frequently.

I was reading over tildes' privacy policy and saw that passwords are stored hashed, but are they salted as well?

https://defaultnamehere.tumblr.com/post/163734466355/operation-luigi-how-i-hacked-my-friend-without#fnref:salted

not that tildes is big enough atm to have big public database breaches, but in the future it's a good idea to store passwords with a secure salting system, especially to help users that might have common passwords like "Diane" in the Tumblr post.

Over the past year I have done a lot to shore up my digital privacy and security. One of the last tasks I have to tackle is locking down the many personal files I have on my computer that have potentially compromising information in them (e.g. bank statements). Right now they are simply sitting on my hard drive, unencrypted. Theft of my device or a breach in access through the network would allow a frightening level of access to many of my records.

As such, what are my options for keeping certain files behind an encryption "shield"? Also, what are the potential tradeoffs for doing so? In researching the topic online I've read plenty of horror stories about people losing archives or whole drives due to encryption-related errors/mistakes. How can I protect against this scenario? Losing the files would be almost as bad as having them compromised!

I'm running Linux, but I'm far from tech-savvy, so I would either need a solution to be straightforward or I'd have to learn a lot to make sense of a more complicated solution. I'm willing to learn mainly because it's not an option for me to continue with my current, insecure setup. I do use a cloud-based password manager that allows for uploading of files, and I trust it enough with my passwords that I would trust it with my files, though I would like to avoid that situation if possible.

With all this in mind, what's a good solution for me to protect my personal files?

I'm genuinely curious. I'm a late adopter FWIW and am still rocking an older iPhone that doesn't support any face recognition or finger prints. But I don't use a pass code either, and never have, and doubt I ever will. I just don't get it... what are folks afraid of happening if they don't lock their phone? I suppose the "nightmare" scenario would be someone steals your phone and then messages your contacts asking for $. Is that it?

I've always practiced greater digital security than physical security (counting the phone unlock as physical) as I think it much more likely that a ne'er-do-well would attack some large company than to single me out in person. I mean if the FBI or some hacker is going through my garbage then I probably have larger problems, right?

For me it's cost/benefit - swiping/fingerprinting/face IDing multiple times a day is not worth the slim chance that my phone is stolen by someone who going to use the info in it for something nefarious. I wouldn't lock my car if I was in/out of 20x a day, I just wouldn't leave anything terribly valuable in it.

Please let me know why locking your phone is/isn't important to you.

EDIT: To be clear, I have one banking app and it requires an additional password to get in. It's an app so there isn't a saved password for it anywhere.

EDIT2: Made this as a comment below, but thought I'd add it up here as well - "I find it strange that people in general seem to be OK with putting up with an inconvenience (even though minor to many) that affects them multiple times a day, but we hold large companies almost wholly unaccountable for major data breaches. "

EDIT3: This just occurred to me. We lock our phones, but not our wallets/purses. The argument that a pass-code is a protection against identity theft rings sort of hollow when we consider we have much of the same info on an ID card that we keep unprotected. Some states will even list the SSN on a driver's license.

EDIT4: I'm convinced everyone thinks their personal lives are terribly interesting to strangers and my suspicion is they're not. Only two real cases of bad things happening when a phone is unlocked that I've counted so far: 1) long distance calls 2) pokemon themed contacts.

EDIT5: That said, sounds like the fingerprint scanner is the way to go for convenient security. I'll be checking that out. Sincere thanks!

EDIT6: Some folks said that edit 4 came off as condescending. Not my intention. I was trying to tie in the idea of "everyone being the main character in their own story." I'm definitely not implying that people should leave their phones unlocked because others wouldn't find their lives uninteresting.

I think many have a personal connection to their devices that I do not feel. Intellectually I find that very interesting as this seems less a monetary issue and more a privacy issue. It'd be as if a stranger picked up a lost diary and started reading. I fear my diary would be more like a ship captain's logbook and wholly uninteresting. If I were to have my phone stolen I'd simply change a couple passwords and buy a new one.

I recently enabled controlled folder access in Windows 10. It restricts programs from modifying folders in a blacklist.

I have all of the music/pictures/videos/documents/desktop folders and folders containing backups added, is there anything else I should consider adding?

I do the following:

• Use a VPN (NordVPN)
• Use Firefox with a tweaked about:config and the following security extensions:
  • uBlock Origin
  • NoScript
  • HTTPS Everywhere
  • Privacy Badger
  • Decentraleyes
  • Cookie Autodelete
  • Skip Redirect
  • CanvasBlocker
• Run Linux Mint (I know, Ubuntu-based distros aren't ideal but I'm a Linux beginner)
• Don't have any social media as of a year ago
• Don't use any Google services, including YouTube, Google Search, or Gmail
• Use a password manager (KeePassXC)

The next step would be for me to switch from iPhone to Android running Lineage OS, but money is a bit tight right now. As for day-to-day lifestyle choices, I try to use cash whenever possible and never sign up for things like store rewards programs.

What's your setup? Do you consider yourself a privacy-minded individual? Are you more concerned with protecting yourself from corporate or government entities?