How I Remember Passwords

2023-08-28 20:39:31Z (last updated 2024-12-11 00:42:13Z)

Easy: I just used 6 English words as the main password.

However, that does 0 job of explaining my actual setup. You see here, I only know 2 passwords in my head, and leave the rest up to a password manager.

Actually, I pretty much only use my password manager for password management, including generating passwords.

The password manager

I use KeePassXC, a password manager. It's pretty much an offline password manager and doesn't really have much of a built-in syncing function other than KeeShare (which also isn't online based).

=> KeePassXC

It still has quite a bit of features though, including generating passwords, Have I Been Pwned integration (at your option), auto type, and browser extensions.

=> Have I Been Pwned

Synchronization of the vault file is done via Syncthing. I just have a single vault for everything (and other vaults for other use cases), and I use the merge function on sync conflicted files.

=> Syncthing

Another option is BitWarden, but I'm not sure if it's a good idea to rely on someone else to store your passwords. I have no review. Your mileage may vary.

=> BitWarden

Generating a password to remember

Most importantly: You do not create your own password. Humans are terrible at being random, and computers are reasonably better at randomness than we are.

In KeePassXC, there's a passphrase generator. The passphrase generator is similar to Diceware, and it may look daunting to remember that kind of password. However, I present you relevant and important information with XKCDs comics:

=> XKCD 936: Password Strength | explain XKCD for 936

=> DiceWare

Using passphrases is like using words to make a phrase for your password. So what you're gonna have to actually remember is words, not specific characters at specific places (too specific and error prone for human).

What I did is regenerate a password until it looked reasonably easy to remember. What is "easy" for you to remember can be different, but what really matters is that you remember your passphrase.

Now, store it in a safe place. It could be on your computer, or it could be written down on paper.

(I'm aware there's security implications for both using computer and writing down on paper to store the password, but that is a very complicated topic to dive in this blog post right now. If you're paranoid, using either probably isn't a good option, and things are complicated)

Then, remember the passphrase by reciting it (not out loud). Reference the passphrase if needed, and recite it every once in a bit until you can recite it mostly easily without having to refer to the written down form. The typing muscle memory will come with further practice and use of the passphrase.

Also, don't reuse passwords. So that passphrase that you now remember should probably be the password to unlock your password manager.

So now you remember a passphrase. And you shouldn't reuse passwords. Now what do you do?

Well, you have a password manager, so the only reasonable approach here is...

Generating a password to store

This is pretty easy: Use the password generator, use uppercase and lowercase of the English alphabet, include numbers and have a long length.

That should work for most online services, except for those who limit to 16 characters for whatever reason (Like WeChat, that unencrypted messaging service that is also a super app in China for some reason) or use arbitrary requirements like requiring symbols.

Conclusion

So that's about it! Use a password manager, generate passphrase, remember passphrase, use for vault/password manager, and use password generator for everything else.

Wait, it's not actually over yet...

Doing the bad: Reusing passwords

I'll admit: I reuse passwords. However, the passwords are only used in certain conditions, like logging in to a machine.

For everything else pretty much, I just use a password manager.

Personally, I'd like to think that the approach I have is still reasonably secure. It's quite a long password anyways, and in most cases, it's not easily guessable, so compromising the password would require different methods...

Further securing the vault

With KeePassXC, there is advanced settings for encryption settings. It can be changed after creating the vault, or during the creation of the vault.

To open that advanced settings while creating a new vault:

  1. Start the creation of a new vault

  1. Enter the name and description for it

  1. Continue

  1. Click "Advanced settings'

To open that advanced settings with an existing vault: On the toolbar/menubar thingy, there's the "Database" drop down menu. Click "Database Security", then within KeePassXC, click "Encryption Settings". You may have to enable "Advanced settings" at the bottom left of KeePassXC.

Now change the parameters. Based on the PSA to change your LUKS encryption settings:

  1. Use a Key Derivation Function of "Argon2id"

  1. Memory usage of 1024 MiB (adjust depending on what you have, I'd suggest 1/8 of your memory for performance balance)

  1. Some amount of threads depending on your computer (I chose 8 threads because I could do 8 threads on my computer).

  1. Click the "Benchmark 1.0s delay" button on the "Transform rounds" input field. You can keep it for it to take 1 second to unlock, or multiply it by the number of seconds you want it to take to unlock.

=> PSA to change your LUKS encryption settings

I don't know if LUKS encryption settings can also be applied to KeePassXC Database encryption, but it's probably better to do it than not.

Actual conclusion

So that's about it. KeePassXC and other stuff. Go change your password setup if you still haven't.

=> public inbox (comments and discussions) | public inbox archives | (mailing list etiquette for public inbox)

Proxy Information
Original URL
gemini://jacksonchen666.com/posts/2023-08-28/20-39-31/index.gmi
Status Code
Success (20)
Meta
text/gemini;lang=en
Capsule Response Time
153.044045 milliseconds
Gemini-to-HTML Time
2.124516 milliseconds

This content has been proxied by September (ba2dc).