"diceware is the one way to teach the general public to make passwords, if you could only teach the general public one thing"
thoughts?
@handle Diceware is for encryption key seeds imo.
Guess and check style passwords, like a debit card pin, don't actually need to have that much entropy in them. They just need to not follow obvious patterns and to be unique. And unfortunately, they also need to be flexible enough to adhere to whatever stupid draconian password policy will be forced on the user.
If I was going to teach someone one thing about passwords, I would probably teach them Password Manager + paper backup. Am I cheating? Is that two things? I don't know. If I had to cut it down to one thing I might choose paper.
@forestjohnson finally coming back to this, `random()` years later:
1. what is the difference between an encryption key seed and a password to you? is it just complexity requirements?
2. how much value is there in password managers if you give no advice about passwords? selfhosted vaultwarden behind 7 proxies doesn't help if all the passwords stored in it are "password"
(I would politely shuffle "numeric PINs" out of scope for this conversation if that's OK)
> how much value is there in password managers if you give no advice about passwords? selfhosted vaultwarden behind 7 proxies doesn't help if all the passwords stored in it are "password"
Mostly the value is that it forces the user to collect and inventory thier passwords, and to back them up. IMO the primary most significant risk involved in using passwords is that you lose the password and you get locked out of your account forever, I believe this accounts for over half of all password related problems, and often has the most severe consequences.
Also, I don't know if vaultwarden will warn you about weak or already leaked passwords, but I know things like 1password and bitwarden will.
