I hope you keep them locally, because:
My philosophy about security is that if I can do something by myself and avoid depending or delegating to another party, I am better off keeping control (but sometimes at the cost of some convenience)
That is why I keep my passwords in my head and for those I cannot remember, I use a LibremKey or NitroKey’s integrated password manager.
To answer the question of the topic title:
Not using any “cloud”-based password managers. I don’t need the sharing / synchronisation between devices or the on-the-go access; and I can take care of my own backups where that is a consideration.
So I would characterise that as: not very consistent, not very simple, would be difficult for someone else to have to take over - but also avoiding putting all my eggs in one basket.
So you don’t trust e.g. local keepassxc locked with a very long in head only password with either of your 2 top levels? Why?
Because I’ve seen too many IT security and other bugs.
Have you personally audited the code of keepassxc? Do you understand all the code? Are you confident that it is defect-free?
Just as putting a password in the cloud is an unnecessary security exposure if you don’t need that, putting it on a computer is an unnecessary security exposure if you don’t need that.
Because, ultimately it reflects my threat model. I know that the vast majority of attacks (and I see hundreds every day) are not targeting me personally but do arrive via the internet and are seeking to exploit IT bugs. Compare that to the number of times my home has been broken into (zero).
Even if I have written the code myself, do you think that I write perfect code? ‘Perfect’ code is only ever one CVE away from being considered imperfect.
I guess I should clarify that my position would be different for a computer that is not connected to the internet i.e. not on a network at all, or on a network that is airgapped from the internet. So bullet point 3 in my post refers to internet-connected computers.
Even where I am using a local password store, I am using multiple independent such stores so that the successful compromise of one means that I have not given up all my passwords in one go.
For clarity, I am not seeking to persuade anyone else to do what I do, merely to explain what my motivations are.
Inside a plain text file on my computer which is encrypted with GPG.
One time pads on watersol?
In an offline virtual machine on Qubes OS.
I have audited the code for pykeepass. It is not overly complex. And while there may be a defect (cryptography can have subtle errors), I am very confident that there isn’t a trojan/exfiltration. I will say that I have not audited the base cryptography libraries it uses (Cryptodome).
For me: Local pykeepass db and I also use a keyfile.
… as far as you know it’s “zero”. I’ve had one burglary. But in terms of passwords and confidential information, I’ve had something more worrisome. When my wife and I were both working we had a maid service and I’m 95% sure that this did result in identity theft including an attack on one of our bank accounts and our tax account. We now lock up all confidential papers when we have a dogsitter. While I don’t think they found our passwords, this was when we abandoned our “discreetly written down” (hidden within a “book” on our bookshelf) password keeper and I wrote my own (using the python pycrypto library).
Never forget the “evil maid attacks”.
Some things to consider:
To be honest I wasn’t so much concerned about backdoors, as about actual bugs.
Fair enough (it would be beyond most people, myself included). However there have been any number of exfiltration bugs in crypto libraries e.g. where externally visible state accidentally leaks information about the key, leading ultimately to a complete leak of the key. So while I am fine with the fact that you have not audited the crypto library, crypto libraries really really need someone to have audited them, preferably multiple someones.
Ha ha. OK. (Realistically this would then represent a well-resourced and sophisticated attacker, and probably I am toast already. However do note that it was only “level 2” passwords that are written down, not the good stuff. Finance and even this forum is “head only”, as noted above.)
A worthwhile warning for anyone considering writing something down. I will update my post.
(No maids, or dogsitters, here though.)
You may be right about the general person but note that this is hardly relevant to any web site or online application that limits the number of incorrect attempts.
My internet banking, for example, will simply lock the username after 3 wrong passwords (requiring my action or maybe even my attendance in a branch to unlock, not sure which). I actually do choose to have a fairly high entropy password for internet banking, by force of habit, and also I think the bank enforces minimum complexity, but you can balance the probability of a successful guess within 3 guesses against the entropy.
(So this is an argument for “head” rather than writing down. If you write it down and it is exposed then it doesn’t matter what the entropy is.)
As a model for that kind of setup, this is why even a 4-digit numeric PIN on a SIM card or on an OpenPGP card may be considered an acceptable risk. Personally I wouldn’t. I wouldn’t go that far, but you can do the math yourself.
However as an example: 8 random lowercase letters. I would consider that woefully insecure for almost any purpose, and would not use something like that, but that’s 37 bits of entropy i.e. vanishingly small chance of a successful guess within 3 guesses, and it scales up from there.
This absolutely does not apply to any scenario that affords offline attack e.g. getting a WPA passphrase or e.g. if the bank’s underlying password file is exposed (and, yes, I am assuming that the bank is at least smart enough to salt and hash). Hence my comment about the potential for having a low entropy internet banking password doesn’t apply if you think that the bank is pretty hopeless with their own security.
[I see that you understood this, below. I will keep it in for others.] What generally happens is that an online site gets compromised. The site’s client info including their password hashes (and salt) and other client account info (often encrypted too) is taken.
At this point the bad guys go all out finding the client passwords. Once they have the hashes (+salt) … there is no longer a “limited number of tries”. They absolutely brute-force the majority of passwords that have insufficient entropy.
I actually do choose to have a fairly high entropy password for internet banking, by force of habit, and also I think the bank enforces minimum complexity, …
You might be surprised. I thought I had one with reasonable entropy for my password keeper. Then I put it through a “bits of entropy tester” (that are common with password keepers). It was much lower than I would like (it said 60 bits of entropy).
That’s what convinced me to use a keyfile along with keepassxc. I’m not sure if you’ve looked into it, but if somehow only the database is exfiltrated, the keyfile+password provides 256bits of entropy. If they manage to exfiltrate both the database and keyfile … I still have the 60 bits of entropy in my password and I have used a very high setting of “5sec” for decryption time (a measure of the calculational cost for checking one password attempt).
Also: When I was working, our sysadmin would try to shame/reward our small firm. Annually he would run a cracker on the employee passwords and provide a report. e.g. 40% of passwords were cracked within 1 hour; all but 3 passwords were cracked within 24 hours; only one password was not cracked.
I will admit to something shameful. It was a long time ago when I was not paying attention. I re-used my e-mail password for a login to an online store. The online store was hacked. They cracked my password … and since they also had my e-mail account they tried that on my e-mail and my e-mail was hacked. [My e-mail provider notified me of activity in Bulgaria and I was able to re-secure the account.]
There is an entire generation of baby boomers, born after WW2, who lived through the invention of personal computers all the way to Facebook dystopian cell phones for whom the technology is brittle and temporary but paper is forever, so their first instinct is probably to write things down until the younger generation talks them into using password managers. I heard from some friends of mine that the evil in-person visitors is on the rise, especially because (at least in the US) the health care system is often terrible so getting assisted living in a nursing home can drain a typical retired person for everything they’re worth. So then it becomes cheaper to hire a in-home care nurse type of person to occasionally stop by and help. But imagine if your job was helping old people go to the bathroom who can’t manage it for themselves or whatever, and then you realize you can take them for all their worth by just snooping through a few papers on their desk to find Bank Password: lolcats19 scrawled hastily somewhere. The financial incentive is totally broken. A nurse could get more money doing that one time than she’d make in 10 years cleaning up baby boomer’s poop. It only takes one.
Personally what I do for my passwords is to have a system so stupid, inconsistent, and ludicrous that how it works doesn’t make sense. Then, when someone asks me online how it works, I’ll tell them something other than how it actually works so that 10 years later when AI is after me reviewing my post history, it gets an incorrect idea about how I do passwords.
In fact I wouldn’t. The program that I use to generate random (bias-free) passwords meeting specified parameters (length, character subsets) actually prints the entropy. So, no, not surprised. My internet banking password has 89 bits of entropy. Go your hardest.
(While I have not done the math, I suspect that even an offline attack would take far too long. I will be dead and my account drained by my executor before the hash has been reversed. And once again I am assuming that my bank is at least smart enough to salt and hash. And, yes, QC may impact on this.)
WiFi password 178 bits. So getting to the point that a keyfile is not worthwhile, not that a keyfile is possible specifically with WiFi. It used to be the case though that with WiFi you can supply the whatever length key (256 bit?) directly, hence getting the maximum achievable entropy without using a keyfile. However that only works if all your WiFi devices support that choice.
I have looked a little into keyfiles but my concern has always been that if I am hacked so badly that they are exfiltrating password databases then they do probably get the keyfile as well. So in that scenario, the keyfile really has to be offline except when being used. In the scenario of the evil maid, the keyfile really needs to be on your person except when being used. And obviously you need to have a backup of your keyfile, so that creates a second copy that might be a target.
Is that with an Argon family algorithm?
Yes, 5 seconds is what I have set on my Librem 5 for LUKS.
However important to recognise that that is encryption time (probably actually hash time) on your computer, not on a coordinated network of 100,000 high-powered GPUs. So you still want plenty of entropy.
Another scenario is that you are hacked and keystrokes are being captured and exfiltrated. (And similarly: the web site is compromised and plain text passwords are being captured.) In that case none of this matters. Head v. paper v. password store. High entropy. All down the gurgler. A keyfile may be of some benefit for the keystroke capture scenario. 2FA is supposed to save you.
Honestly I don’t know what the relative frequencies are of successful attacks. You probably want to defend against all of them.
In my country, I have not heard of any bank being data breached, and there is a mandatory data breach notification regime for all except small companies. I think the general vibe is: chance of given bank customer being breached is much higher than chance of bank being breached. That might not apply in this forum however. 
It could happen to anyone. The price of security is eternal vigilance, as they say.
You are probably right but a) anything finance is not written down (in my case) and b) if you are going to write it down then some subtlety is called for.
Documentation from banks even says that if you insist on writing down your credentials then you must
Kudos; not just on remembering one with that much entropy, but also on creating one (assuming it wasn’t randomly selected).
Probably. Although I’ve got my database on my NAS and my keyfile is on a USB stick.
Yes. argon2id. And although it says “5sec”, even on my old hardware it’s not 5sec … it’s about 3 sec. I’m not sure where they come up with 5sec.
Funny story. I worked for a Financial Management firm (institutional type of hedge fund) for a long while. As part of that we had strict rules to follow in regard to trading restrictions (to stop front-running our own clients). There was an automated “trading compliance” checking system. The “trading compliance” software company preferred that you simply trusted them to have your brokerage passwords. When I pointed out to them and our whole firm that providing my password to **anybody else** (including this “trading compliance” system) violated my brokerage’s rules and that the consequence would be that the brokerage would not be responsible for any loss due to hacking (even if the hack was provably due to brokerage issues). [As it turns out, brokerages do allow you to have your trading confirms automatically forwarded to trading compliance systems (but it’s a “push” rather than a “pull” which was what the “trading compliance” firm wanted).]
As said, I do use a program so that passwords are cryptographically random.
Here’s a technique that I use. Start with a shorter random password. Use that for X months. You will by then easily be able to type it from muscle memory. Then generate some more random characters, and change your password, adding the extra characters on the end. Repeat until entropy is adequate. (Realistically you shouldn’t need more than 1 or 2 additions unless you are shooting for very high entropy.)
While I don’t personally use the following technique, some people swear by having a password that is X words in a phrase from a book that they own. You need to be careful about how you calculate the entropy (it’s nowhere near the entropy of a random password of the same length) but it is probably easier to remember for equivalent entropy and you can “write” it down without violating bank or other requirements and you are reasonably safe from an evil maid attack. (I guess this could be fail if you only own one book but if you have a decent library, that should be fairly solid since you have a lot of flexibility beyond just choosing which book to use.)
I would think that that is the only way to do it (assuming that the USB stick is only plugged in when needed), particularly if you have high speed internet (such that the attacker could exfiltrate files at a rate of knots).
I admit that I haven’t looked at the LUKS (Argon) code but I would imagine that it would be essential to convert the time cost in some very fixed way to a number of iterations - so that the encrypted volume continues to be able to be unlocked even in the face of in-place CPU upgrade or moving the volume to a different computer or any other hardware oddity or of course an improvement in the software implementation within the crypto library. So I would treat the “time cost” as a bit rubbery and more indicative than a hard limit. And the inaccuracy in the time cost will probably grow over time i.e. next time you upgrade your whole computer.
When I do a luksDump on my phone it says “Time cost: n” and it is “about” that but I won’t insist that the phone takes that long exactly.
Argon also gives you a choice of memory cost. Unlike the time cost, I would imagine that the memory cost is quite deterministic. However don’t go overboard with memory cost in case you ever need to unlock the volume on a computer with less memory. (The main purpose of the memory cost is to hit GPUs harder.)
Indeed. Sadly fairly common.
A certain well known freemail provider offers to centralise all your email within their system by sucking your email from other providers. I imagine that this can only work by entering your email password for the other provider into the well known freemail provider’s system. Not only likely a violation of the terms and conditions of the other provider but also unwise.
I have done something similar. It still gives pretty low calculated entropy unless I use 5 words or more. In my case, though, I don’t use a random book. For example, I use passages I’ve memorized (e.g. Shakespeare, Monty Python, …) and I use every other word with special character (#@$%!) as separators. And I still find it hard to remember the starting word and length!
One thing I found interesting was part of the conversation. I let them know that if my brokerage was doing things correctly, that even the brokerage didn’t actually know my password (and so why should I give it to the “compliance checker”). They seemed mystified by that statement. I explained that the brokerage should only be storing a (secure) hash of my password + salt rather than the password. That way they could verify that I knew my password, without actually storing my password.
Yes. It’s not great for entropy.
(As an example, if you use a complete verse from the Bible, there are only 31,000-odd verses, according to the web. So entropy is about 15 bits, which is woeful. Sure, there is the scope for improvement by truncating a verse, not starting at the beginning, the existence of multiple different translations / versions. But still not good entropy. Worse still if it were widely known that you are Christian, I mean a genuine Christian, not a CINO. I would in general say to avoid the Bible because it’s too obvious.)
Somewhat better is, say, 5 random words from a good-vocabulary dictionary. The program that I use supports that (although I don’t use that functionality). Dictionary has 2^16 words. So entropy calculation is trivial.
hindsight shapes indivisible suspending industry
or
anaesthetic parser deconstruction fiftieths bleated
There’s two examples of 80 bits right there and 80 bits should be good enough for most scenarios.
Some people swear that these are easier to remember than just random crap. I’m not totally convinced but whatever works for each user.
Separators can boost the entropy quickly, provided that each is random (and I would say between every word).
A word separator is also good where a web site is enforcing password complexity e.g. must contain at least one character from each subset (lowercase alphabetic, uppercase alphabetic, digit, punctuation), particularly for low importance web sites where entropy is more for box ticking than a genuine desire for security.
I suspect the issue is that they want to check compliance quickly rather than trying to brute force each user’s password. But surely compliance should simply be enforced whenever a password is set.
What do you guys think of NIST SP 800-63B recommendations, not counting irvinewade’s mistrust of even local only password managers? Use password manager that can generate good really long passwords, don’t worry about special characters and spaces for your one passphrase to access the pw manager, just make it really long. For the authentication end, stop requiring periodic pw changes, just require that they be really long, also stop requiring special characters, multi case, etc.
BTW, I have had a site reject 20 characters as too long. I am aslo annoyed by the existence of a variety of forbidden special characters with no rhyme or reason.
To get the entropy required I have heard that a partial long sentence with punctuation or song lyric with same, again partial maybe extending to part of the next sentence does pretty well. Myabe it would be wise to store only hints with pun, riddle, and misdirection included. Bonus points from straying form English.
Would General Jack D. Ripper have used the full phrase “Our Pure Essence” instead of a 3 letter code in today’s CRM-114 discriminator?
The speed of guessing the 3 letter code was dependent on a slow baud rate.
If only I had more hearts, rainwater and grain alcohol Mandrake.