💾 Archived View for jacksonchen666.com › posts › 2023-08-28 › 20-39-31 › index.gmi captured on 2023-11-04 at 11:26:53. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-09-08)
-=-=-=-=-=-=-
2023-08-28 20:39:31Z (last updated 2023-10-16 08:55:03Z)
Easy: I just used 8 English words as the main password.
However, that does 0 job of explaining my actual setup. You see here, I only know 2 passwords in my head, and leave the rest up to a password manager.
Actually, I pretty much only use my password manager for password management, including generating passwords.
I use KeePassXC, a password manager. It's pretty much an offline password manager and doesn't really have much of a built-in syncing function other than KeeShare (which also isn't online based).
It still has quite a bit of features though, including generating passwords, Have I Been Pwned integration (at your option), auto type, and browser extensions.
Synchronization of the vault file is done via Syncthing, and I have one file for each device I use the vault on. Then I use the merge function to merge entries from other devices as necessary.
Another option is BitWarden, but I'm not sure if it's a good idea to rely on someone else to store your passwords. I have no review. Your mileage may vary.
Most importantly: **You do not create your own password**. Humans are terrible at being random, and computers are reasonably better at randomness than we are.
In KeePassXC, there's a pass*phrase* generator. The passphrase generator is similar to Diceware, And it may look daunting to remember that kind of password. However, I present you relevant and important information with XKCDs comics:
Using passphrases is like using words to make a phrase for your password. So what you're gonna have to actually remember is words, not specific characters at specific places (too specific and error prone for human).
What I did is regenerate a password until it looked reasonably easy to remember. What is "easy" for you to remember can be different, but what really matters is that you remember your passphrase.
Now, store it in a safe place. It could be on your computer, or it could be written down on paper.
(I'm aware there's security implications for both using computer and writing down on paper to store the password, but that is a very complicated topic to dive in this blog post right now. If you're paranoid, using either probably isn't a good option, and things are complicated)
Then, remember the passphrase by reciting it (not out loud). Reference the passphrase if needed, and recite it every once in a bit until you can recite it mostly easily without having to refer to the written down form. The typing muscle memory will come with further practice and use of the passphrase.
Also, don't reuse passwords. So that passphrase that you now remember should probably be the password to unlock your password manager.
So now you remember a passphrase. And you shouldn't reuse passwords. Now what do you do?
Well, you have a password manager, so the only reasonable approach here is...
This is pretty easy: Use the pass*word* generator, use uppercase and lowercase of the English alphabet, include numbers and have a long length.
That should work for most online services, except for those who limit to 16 characters for whatever reason (Like WeChat, that unencrypted messaging service that is also a super app in China for some reason) or use arbitrary requirements like requiring symbols.
So that's about it! Use a password manager, generate passphrase, remember passphrase, use for vault/password manager, and use password generator for everything else.
Wait, it's not actually over yet...
I'll admit: I reuse passwords. However, the passwords are only used in certain conditions, like logging in to a machine.
For everything else pretty much, I just use a password manager.
Personally, I'd like to think that the approach I have is still reasonably secure. It's quite a long password anyways, and in most cases, it's not easily guessable, so compromising the password would require different methods...
With KeePassXC, there is advanced settings for encryption settings. It can be changed after creating the vault, or during the creation of the vault.
To open that advanced settings while creating a new vault:
1. Start the creation of a new vault
2. Enter the name and description for it
3. Continue
4. Click "Advanced settings'
To open that advanced settings with an existing vault: On the toolbar/menubar thingy, there's the "Database" drop down menu. Click "Database Security", then within KeePassXC, click "Encryption Settings". You may have to enable "Advanced settings" at the bottom left of KeePassXC.
Now change the parameters. Based on the PSA to change your LUKS encryption settings:
1. Use a Key Derivation Function of "Argon2id"
2. Memory usage of 1024 MiB (adjust depending on what you have, I'd suggest 1/8 of your memory for performance balance)
3. Some amount of threads depending on your computer (I chose 8 threads because I could do 8 threads on my computer).
4. Click the "Benchmark 1.0s delay" button on the "Transform rounds" input field. You can keep it for it to take 1 second to unlock, or multiply it by the number of seconds you want it to take to unlock.
PSA to change your LUKS encryption settings
I don't know if LUKS encryption can also be applied to KeePassXC Database encryption, but it's probably better to do it than not.
So that's about it. KeePassXC and other stuff. Go change your password setup if you still haven't.