"diceware is the one way to teach the general public to make passwords, if you could only teach the general public one thing"
thoughts?
@handle Diceware is for encryption key seeds imo.
Guess and check style passwords, like a debit card pin, don't actually need to have that much entropy in them. They just need to not follow obvious patterns and to be unique. And unfortunately, they also need to be flexible enough to adhere to whatever stupid draconian password policy will be forced on the user.
If I was going to teach someone one thing about passwords, I would probably teach them Password Manager + paper backup. Am I cheating? Is that two things? I don't know. If I had to cut it down to one thing I might choose paper.
@forestjohnson finally coming back to this, `random()` years later:
1. what is the difference between an encryption key seed and a password to you? is it just complexity requirements?
2. how much value is there in password managers if you give no advice about passwords? selfhosted vaultwarden behind 7 proxies doesn't help if all the passwords stored in it are "password"
(I would politely shuffle "numeric PINs" out of scope for this conversation if that's OK)
> what is the difference between an encryption key seed and a password to you?
Well, they have completely different security models. If you're going to try to guess a password, you always have to send your guesses one at a time over the network to someone else's computer that you don't control.
With encryption key seeds, you can have an entire rack of GPUs all guessing at once without bothering anyone, and then you can buy another rack.
