[gfsadhfsd]

Flat text file on an encrypted volume. I use cat or vi for editing, and grep for reading. If it's ultrasensitive, I keep it on a non-networked device and type it in. Otherwise, normally, I grep and copy/paste from terminal to password field.

I do security for a living. This technique is mocked by other so-called experts, but who's laughing today? I fully understand the security model I'm using. Lastpass users--and developers--clearly did not. Other password manager users should stifle the urge to laugh if they haven't fully reviewed their entire stack.

[gfsadhfsd]

Also, I do not keep the encrypted volume in the cloud. It's only on my trusted device. If it's important enough to secure the password, it's important enough to bring the device.

Further, I've used variations of the same password for the past two decades for >90% of my accounts, e.g., the ones where my threat model is "do not give a fuck." When I sign up, I mentally consider whether I give a fuck the account is compromised. If I do, new random password for the list. If I don't, use the 20-year-old password.

[mihaifm]

I like this approach, but I would also like to have the passwords on my phone and sync between desktop and phone. Any advice on how to do that using your approach?

[gfsadhfsd]

It's not really friendly to mobile sync, so if you're heavily into that, it's not a full solution. I'm sure you can find a way to securely push the file to the phone as an exercise to the reader, but it would probably involve some philosophical security compromises or creativity.

[gfsadhfsd]

If it's really ultrasensitive, it's 12+ character random ASCII string committed to muscle memory only. No horse battery stapling bullshit.

[kevhito]

Please don't give security advice unless you know what you are talking about. It just spreads misinformation.

[gfsadhfsd]

Please elucidate.

Misinformation like, "Always use a reputable cloud password manager, like LastPass?" Along with a trusty antivirus, am I right?

To be further contrarian, if the common man is going to use a password manager, use Chrome's built-in auto-fill, without antivirus or other 3rd-party bolt-ons, be they LastPass, KeepPass, 1password etc. You know who Tavis works for, right? Chrome's application security is best of breed, and its password manager does what it's designed for, at least.

[kevhito]

I was responding to your nonsense advice that 12+ character random ASCII is somehow better or more secure than a "correct horse battery staple" or diceware-style password. They have identical security properties, given appropriate choice of N.

If you are going to memorize passwords, feel free to memorize ASCII gibberish if that's what you are into. Or memorize random phrases, since many (most?) humans find those easier to remember.

[daveFNbuck]

A 6-word diceware passphrase has more entropy than 12 characters of ASCII and is easier to memorize. In what way is that bullshit?

[gfsadhfsd]

Nope.

94^12 ~= 4.76e23 > 7776^6 ~= 2.21e23.

And typing 12 characters from muscle memory is faster than learning and typing "limbdumaslaterjuramondohalf", which is what diceware^6 just gave me.

The supposed mnemonic value of diceware is illusory. If it convinces people to use stronger passwords and it works for you, great.

[daveFNbuck]

You're right, I misremembered the number of rolls for diceware. I guess your passwords have an extra bit over mine. How many 12+ character passwords are you able to memorize? How long does it take you to learn a new/changed one?

[gfsadhfsd]

> How many 12+ character passwords are you able to memorize?

As I need to enter on a regular basis. In practice, no more than half a dozen. Usually I have 3 or 4 in use. Might be work, personal, and a couple for crypto.

> How long does it take you to learn a new/changed one?

Depending on the length, 5-10 minutes of continuous training to be confident if it's one I'm going to put into immediate use.

The point is to go straight to pure muscle memory without using a mnemonic crutch. Ultimately for a password that you're typing on a multiple-times daily basis, you're going to be relying on muscle memory anyway. If you're trying to remember what came after the correct horse battery, or if the correct came first or last, you've already lost. "limbdumaslaterjuramondo" gets me no closer to login if my password is "limbdumaslaterjuramondohalf" if I've forgotten nonsensical "half" than "+D%W}B_]7|~y" gets me to login if my password is "+D%W}B_]7|~yd" and I've forgotten "d".

You're going to be typing the password with your fingers, so learn the password by typing it with your fingers until it's automatic, not by conjuring a sequence of unconnected mental images. It actually saves time.

[marklgr]

I doubt most people type their passwords multiple times on a daily basis, so dismissing mnemonics with "just use muscle memory" doesn't look practical to me. And they're not incompatible, actually: you can eventually commit to muscle memory a diceware-like password, but in the meantime (or if it slips out of muscle memory) you got mnemonics ie. clues.

As far as I'm concerned, I've tested some diceware passwords for some months, and I would say they served me all right. I "name" my passwords by their initials (first letter of each word), so there's no risk of missing a word or swapping some.

[ascorbic]

A "better" password that you share between accounts is far worse than less strong passwords that are unique to each account. "+D%W}B_]7|~y" might be unfeasible to brute force, but that doesn't do much good if it turns up as plaintext in a dump and you've used it for all of your work or personal sites.