What are the best practices for passphrase security?
This is a sort of continuation of a previous topic I posted. This weekend I will be wiping and reinstalling my computer and encrypting all of my drives in the process. In doing so, I will have to choose secure passphrases. As such, I have some questions about how best to do this:
-
I have three drives that will be encrypted. Is it okay to have the same passphrase for all of them, or should I have different ones for each?
-
In looking up info on this topic, I came across this article which recommends something called a Diceware wordlist. The premise is that you roll dice which match to a list of 7000+ words. You then string six or more of these words together which become your passphrase. Is this a sound way to generate one?
-
Rather than using the Diceware wordlist, couldn't I roll my own password of the same type using six "random" words of my choosing? I feel like that would be easier to remember, but am I weakening security in doing so?
-
If the Diceware method is to be trusted, does that mean I do not need to pepper my passphrase with digits, mixed case, and special characters? Or should I add these anyway?
-
I'm also considering changing over passwords on a lot of my online accounts based on this method. I like the idea of using a single passphrase as a root, but how do you modify it so that it is different for each account? Would I do something like
[dicewarewords]tildes,[dicewarewords]spotify,[dicewarewords]ubuntuforums, etc.? I feel like it would be too on-the-nose, and it would make it easy to guess my other passwords if one were compromised. On the other hand, I don't like the idea of using a password manager to generate a random string for me. I'd like to still be able to login even without my password manager. -
For people that have used something like this, how do you then deal with password restrictions on sites? I know that no matter how great I set things up I'm still going to have to make exceptions for sites that that either require or forbid numbers, mixed case, or special characters, have character limits, or make me change my password frequently.
Before getting to your specific questions, I want to say that there's a particular mindset that a lot of people have with security topics that you'll run into when trying to find information about things like this that I think it isn't very helpful overall: people love to fixate on doing security "perfectly", even though the weaknesses from a simpler approach might not actually be realistic.
As a simple example, it's common advice that you should never write down any of your passwords. From an objective standpoint, that's correct—not having passwords written down is strictly better. However, what's the actual danger? Is it a realistic possibility that someone's going to break into your house and look through your notebook to get your passwords? There's probably a very, very small group of people that actually need to worry about that situation. For almost everyone else, forgetting a password (especially if it's a complex one) is a far more likely "threat", and writing them down would have been better.
Of course, when it's reasonable, it's still always best to do things in the most secure way possible. But as an individual, unless you're doing something that's going to make you a specific target for attackers trying to get into your stuff, you really don't need to be too afraid of doing some things "wrong" if it makes it more convenient for you.
That being said, for most people that aren't extremely high-profile, the main realistic threat is that you register for some random site, its user data gets breached, and attackers take all the login info and try to log into other sites using the same username (or email) and password combinations. So the single most important thing is to never share login info between multiple sites. Unless you're being targeted specifically for some reason, this is probably the only thing that will ever cause you an issue.
So now, for your actual questions:
1. Do multiple encrypted drives need individual passphrases?
This is pretty much what I'm talking about - technically, it's probably best to use different ones. In reality, I highly doubt that you need to worry about some kind of situation where the attacker was able to get one of the passphrases but not the others. Using just one should be completely fine, the main important part is that your data is encrypted at all.
2 & 3. Is Diceware a good way to generate passwords, and better than my own words?
Yes, Diceware is fine. There's nothing about it that's magic though, if you want to use your own words that's going to be basically just as good. Again, the most important part is that you don't share passwords for multiple sites/purposes, and it's probably simplest to have some kind of generator that can handle creating a lot of random passwords for you. It's not particularly important whether it's Diceware, some other random-word-picker, or even just a standard password generator that uses random characters instead of words.
4. Do I need to add digits/mixed case/etc.?
No, not really. The important part is that you're picking passwords from a "space" that has a massive number of possibilities, to make it infeasible for attackers to brute-force your password by trying all possibilities. Making people use mixed case, numbers, and special characters is a good way to force them to expand their space, but it's not necessary. A long password that's all lowercase can easily be much more secure than a shorter one with a larger character set.
5. Can I use a single "root" passphrase?
No, you shouldn't do this. This is basically a slightly-obfuscated version of sharing the same password between multiple sites, which, again, is the single most important thing not to do. It's safer than sharing the exact same password, but it can be very easy for someone to see through, and I'd be surprised if some tools for analyzing login data don't already try to notice it. I can't remember the specifics offhand, but there was a significant security incident sometime in the past year that was blamed on someone using this type of method and the attacker figuring out their password based on data from other source(s).
6. If you use diceware-like passphrases, how do you deal with requirements to have numbers/etc.?
Overall, if all of your passwords are truly different like they should be, you're going to need some way of keeping track of them. A password manager is probably best, but writing them down is fine too (and make sure you keep a backup either way). So if you're keeping track of the passwords, it's not a big deal to just add some uppercase/symbols/etc. at the start or end to get past the restrictions. That won't weaken the passwords.
My typical policy is use my password manger for passwords that can be easily reset (I.e internet accounts that aren’t my main emails) and use correcthorsebatterystaple style passwords that I memorize for everything else (only a few of them, more or less main email, master password, and one for each computer). This seems to have worked well for me for the last few years.
Regarding your algorithm for generating passwords, I’ve heard of people doing this but any structure in your passwords is going to reduce entropy, which isn’t really going to be a problem unless someone really wants to figure out your passwords.
Regarding the website restrictions, it’s never been a problem, my password manager has options to change the algorithm, and the only issue I’ve ever had was when a website silently removed some characters from a security question (I use random passwords as answers to those too, can be funny when you have to tell a support person your mothers maiden name is LJSUZ71$)
I also have a “insecure” password which I use for everything I don’t care if someone logs in as me for. So anything that just has my (spam) email and no personal information I don’t bother creating a strong password for because it doesn’t matter if it’s compromized since the attacker could only login to other services I don’t care about.
For me, I prefer using song lyrics for certain passphrases (encrypted drives, etc), and everything else is in my password manager. Song lyrics are a breeze to remember, and are fairly secure. For sites where I do use song lyrics that also require a number, I just replace one of the letters with a number -- nothing fancy.
I hopped around password managers after LogMeIn acquired LastPass and ultimately settled on Bitwarden.
edit: I should note that the song lyrics have spaces too. Just use a natural line.