"diceware is the one way to teach the general public to make passwords, if you could only teach the general public one thing"
thoughts?
@handle Diceware is for encryption key seeds imo.
Guess and check style passwords, like a debit card pin, don't actually need to have that much entropy in them. They just need to not follow obvious patterns and to be unique. And unfortunately, they also need to be flexible enough to adhere to whatever stupid draconian password policy will be forced on the user.
If I was going to teach someone one thing about passwords, I would probably teach them Password Manager + paper backup. Am I cheating? Is that two things? I don't know. If I had to cut it down to one thing I might choose paper.
@handle I just first try rolled "kinda awake viper chap" Which sounds like it was not randomly generated, but it actually was
🐍🎩
@forestjohnson I routinely get freaked out by poetic, completely relevant, randomly-generated Jitsi room names. thinking of starting a new mystical diceware-based divination practice tbh
@handle @forestjohnson what was the one that I got that was unbelievable?
@forestjohnson "think of random words" sounds like a pretty solid method to me 👌 The only (possible) advantage that diceware could have is that it takes less thinking… but balance that against the practice required to use it. No clear winner imo
@forestjohnson finally coming back to this, `random()` years later:
1. what is the difference between an encryption key seed and a password to you? is it just complexity requirements?
2. how much value is there in password managers if you give no advice about passwords? selfhosted vaultwarden behind 7 proxies doesn't help if all the passwords stored in it are "password"
(I would politely shuffle "numeric PINs" out of scope for this conversation if that's OK)
> what is the difference between an encryption key seed and a password to you?
Well, they have completely different security models. If you're going to try to guess a password, you always have to send your guesses one at a time over the network to someone else's computer that you don't control.
With encryption key seeds, you can have an entire rack of GPUs all guessing at once without bothering anyone, and then you can buy another rack.
> how much value is there in password managers if you give no advice about passwords? selfhosted vaultwarden behind 7 proxies doesn't help if all the passwords stored in it are "password"
Mostly the value is that it forces the user to collect and inventory thier passwords, and to back them up. IMO the primary most significant risk involved in using passwords is that you lose the password and you get locked out of your account forever, I believe this accounts for over half of all password related problems, and often has the most severe consequences.
Also, I don't know if vaultwarden will warn you about weak or already leaked passwords, but I know things like 1password and bitwarden will.
@handle I solved the "how do you generate a secure password" problem by just writing the code myself.
https://pwm.sequentialread.com/
Obviously, that's not something that the average person can do, but I hope at least that I'm improving the situation by publishing my result.
Sometimes I don't even use that thing though. I just think up random words. it will be some word or weird train of thought that comes from something that happened that day or from a news article that I saw that day. And after I choose a word, then I start over and try to find another separate source of something random to choose a word based off of.
I'm sure that this produces slightly less entropy than a dice roll would, but honestly, I don't think it really matters. I don't think anyone brute forces these kinds of things.