• Activity
  • Votes
  • Comments
  • New
  • All activity
    • Showing only topics in ~tech with the tag "passphrases". Back to normal view / Search all groups

    1. What are the best practices for passphrase security?

      Ask
      This is a sort of continuation of a previous topic I posted. This weekend I will be wiping and reinstalling my computer and encrypting all of my drives in the process. In doing so, I will have to...

      This is a sort of continuation of a previous topic I posted. This weekend I will be wiping and reinstalling my computer and encrypting all of my drives in the process. In doing so, I will have to choose secure passphrases. As such, I have some questions about how best to do this:

      1. I have three drives that will be encrypted. Is it okay to have the same passphrase for all of them, or should I have different ones for each?

      2. In looking up info on this topic, I came across this article which recommends something called a Diceware wordlist. The premise is that you roll dice which match to a list of 7000+ words. You then string six or more of these words together which become your passphrase. Is this a sound way to generate one?

      3. Rather than using the Diceware wordlist, couldn't I roll my own password of the same type using six "random" words of my choosing? I feel like that would be easier to remember, but am I weakening security in doing so?

      4. If the Diceware method is to be trusted, does that mean I do not need to pepper my passphrase with digits, mixed case, and special characters? Or should I add these anyway?

      5. I'm also considering changing over passwords on a lot of my online accounts based on this method. I like the idea of using a single passphrase as a root, but how do you modify it so that it is different for each account? Would I do something like [dicewarewords]tildes, [dicewarewords]spotify, [dicewarewords]ubuntuforums, etc.? I feel like it would be too on-the-nose, and it would make it easy to guess my other passwords if one were compromised. On the other hand, I don't like the idea of using a password manager to generate a random string for me. I'd like to still be able to login even without my password manager.

      6. For people that have used something like this, how do you then deal with password restrictions on sites? I know that no matter how great I set things up I'm still going to have to make exceptions for sites that that either require or forbid numbers, mixed case, or special characters, have character limits, or make me change my password frequently.

      14 votes