Okay.
See here’s the thing:
You have to remember:
- BIOS password (you’re supposed to set one, right? I mean… so your that sibling/roomate/kids/family doesnt mess around and replace your OS with a malicious OS)
- Full Disk Encryption password and then finally
- The user password
Like that kinds breaks my brain
Do y’all just put those in your password manager… then only have to remember
- Master Password to password vault and
- Phone lockscreen
Is this the “Standard Operating Procedure”?
But if you are paranoid and set a full alphanumeric password/passphrase… then you have to remember two differen passphrases…
Or couldn’t you just simplify it to like just ONE, like:
Can you have the same password for Phone Lockscreen as the Password Vault Master Password?
So that you Only ever need to remember exactly ONE password
Is this a good idea?
My head hurts from this…
Idk how to do this…
I wanna simplify my digital stuff… my stuff is so disorganized…
I use the old school method. Each password is a combination of my one preferred password, and three words that relate to the subject but are too funny to forget. For instant, Amazon would be “FuckJeffBezos123456Aa*” or something like that. I only have to remember my version of the “123456Aa*” because every time I think about amazon I already think “fuck Jeff Bezos”.
This uses your mind’s natural ability to associate instead of just raw memory. It also guarantees your passwords always meet requirements.
Lastly, record them all in the meat space in a small journal that I place in a conspicuous place. You can’t hack a notebook and I’m not important enough to rob for access to my Lemmy account.
Yeah… I don’t trust notebooks…
My grandma sometimes forgets to turn off the stove… the notebook becoming ashes is an inevitability… (house on fire)
1 Notebook = 0 Notebook
I use a password manager so I don’t have to remember all of the hundreds of passwords that online services insist I set up. Each one is unique and complex, unguessable … and there’s no way I could remember them all. Before the password manager, I would find a good password and use it for many/most places, meaning that if anyone was careless and leaked my actual password, then someone would effectively have all my passwords.
But to answer your question, yes, for apples implementation, your normal account and phone unlocking also unlock your passwords. Depending on settings, you probably need to use your biometrics each time
My password manager password is about 50-70 characters long. It’s just a phrase that’s easy for me to remember which means nothing and then has some extra numbers and symbols to make it harder.
If it’s 70 characters those symbols are doing very little.
Edit: if you down voted this it’s because your under the mistaken impression that random characters matter more in password security than length.
Yeah this is never getting brute forced but felt dirty not to add them anyway.
What drives me absolute bonkers is when companies limit the length of my password and then demand I add special characters. You won’t let me make it more than 10 characters long and you think a dollar sign is going to save me?!
And then it’s almost always banks that do this in my experience.
Yeah I’ve had password too long messages before lol.
Password managers are best for accounts that can be accessed from anywhere.
For device specific passwords I do have those passwords stored in my vault but those are ones I remember because I need them to access the vault to prevent a chicken and egg problem.
I set up Bitwarden for my wife and parents. They then only access this stuff via mobile and login with fingerprint. They then change to a new device and don’t remember any passwords at all and come to me to reset all their account passwords and rebuild a new Bitwarden password database. They don’t even know the password for their main Gmail account with their Android phones. I now keep their main Gmail password in my own Bitwarden and set this as their recovery account for everything. It’s painful being the family tech support guy.
access this stuff via mobile and login with fingerprint.
Watch out if you ever change your stored fingerprint on the mobile. Or just switch the fingerprint login feature off for 5 minutes and then on again.
The virtual connection gets lost (to all things and services that had relied on your fingerprint) and you need the real passwords everywhere, at least once.
You should not use lockscreen password as your master password. Chances are, your lockscreen password is much simpler than your master password. Reason why you can get away with it is because your mobile devices usually have some form of well-integrated isolated environment that can throttle brute force attacks. Your password managers probably cache your vault offline, which may be vulnerable to brute force attacks unless it utilises TPM in some way. Same goes for FDE. Online vaults probably have some sort of rate limiting so that isn’t much of an issue.
One thing I strongly recommend is being realistic with your goal. Current scheme seems a bit too paranoid.
Other way around I mean.
Like use a 8 word passphrase (not saying I use 8 words just an example) for the phone lockscreen and the master password.
Everyday unlock is just use the biometrics so I don’t have to type it, and I disable biometrics if I’m in an unsafe environment)
Or maybe this is just paranoia… is it okay to juse use a short pin for lock screen?
I mean I read about cellebrite and all that stuff… they say to use alphanumeric password for lockscreen to make it harder to get into…
That’s fine as long as you’re okay with typing it in every now and then. I would find it tedious to be honest. Past a certain point, additional security is meaningless.
Entirely unrelated, but when did xkcd add all those goofy modes in? I just spent more time playing with those modes than I have on their site in a hot minute
I mean my thought process is:
If both phone lockscreen and master password is the same… (8 word passphrase) and I have to enter lockscreen password every reboot… then I’d never accidentally forget the master password…
What phone are you using?
Edit: I hit enter too quickly.
The reason I ask is some phones can make a pin very secure. For example, Pixels’ security chip will rate-limit how often a new pin can be entered. So a 6 digit pin has one million combinations and after the 139th failed attempt only one pin can be tried within a 24 hour period. This will take 27 years to enter just 10% of the possible combinations.
I have an iPhone that the carrier gave me for free as some sort of promotion thing, and I have a secondary android phone (Motorola) for using some FOSS stuff and sideloading since iPhone doesn’t allow it.
Right now I’m just remembering 2 lockscreens… but maybe I’m just gonna focus on trying to remember the main one then like put the other lockscreen into the password manager.
Yes, you do still have to remember a handful of passwords, but remembering three or four is a much smaller burden than remembering upwards of 50 or 100. (This might seem excessive, but my password manager tells me I have at least that many.)
If that opens up brain space, make those three or four as long and complicated as possible.
String together things only you know and will always remember, but throw in a few random symbols to make the job harder if you accidentally let any of the regular facts and figures slip.
You might also be interested in something like https://www.passwordcard.org/.
Edit to
be an unpaid shill forsay I’m a happy user of Password Safe, too: https://www.pwsafe.org/If you have your (encrypted) password manager file backed up to one or more otherwise unencrypted media, then remembering your master password will be enough in a pinch. But yes, for day to day password handling you’d want to have a few more memorized, e.g. the ones you’ve mentioned. As those are passwords you enter daily, it’s usually not much of a problem, especially if you use memorization techniques.
Phone is a 6 digit pin.
I find passphrases very easy to remember. I have different ones for my laptop, external hard drives, Proton, Tuta, and password manager.
I find it helpful to make the passphrase an insult toward a company or group such as “go away piggy this is mine”.
At a job I hated, they made us change passwords often. It was quite irritating. I also think it was counterproductive because something like fuckcorporate!666 is likely more susceptible to a dictionary attack than a carefully chosen password rotated less frequently.
At my job now, we have to change our password so often with such onerous requirements (16 char, alphanumeric, at least one upper case, at least one lower case, at least one symbol, no repeating characters) that I have to store my work password in my personal password manager with much more lax requirements. What the fuck kind of security is that?
Security theater in action.
Rotating passwords are less secure pecause people chorse a short password and then append an incrimenting number. Thus if it leaks for any reason the attacker knows them all.
If you only force rotation after a known breach (that you admit to) people choose a new - good - pasword. Make sure the source of the breach is fixed though or people will give up when it happens too often
