On Wed, Mar 20, 2024 at 12:09 PM Pierre-Elliott Bécue <p...@debian.org> wrote: > > John Hasler <j...@sugarbit.com> wrote on 20/03/2024 at 16:58:01+0100: > > > Pierre-Elliott Bécue writes: > >> A phrase you will easily remember but that would be hardcore to guess > >> through social engineering is perfect. > > > > Better is a random string that you write down. When people try to > > generate phrases that meet those requirements they usually fail. > > Writing down a password is a bad idea.
I don't think that's true anymore. The threat being mitigated is the network attacker. The network attacker cannot (yet) reach through a monitor and read a sticky note. It is also why its Ok for a system to generate a list of recovery codes, and have the user print them and store them in a safe place. The other option are those cursed security questions, which have been insecure for about 20 years now (but developers have their arms wrapped around). > Managing passwords through a password-store (eg pass, keepassxc, > whatever tool you prever) is a great idea, but you first need to unlock > your disk that hopefully you encrypted and then your session. And if > your laptop is borken, then having a root password you actually can > remember is better. I believe NIST now approves online password managers. But I don't trust them given the number of data breaches. > Let's stop to overcomplexify, the best course of action for passwords > you need to remember are passphrases, and to this matter, Randall nailed > the matter properly. Jeff