[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Am I missing a step?


#1

I’ll describe my setup and i would like to know if I’m missing a step

Ubuntu linux encrypted with its own LUKS system (40 characters pass)
20 character user password
Change mac with mac changer
Change hostname
Connect to wifi
Connect to VPN with eddie client
Check for updates
Start the Whonix Gateway (VM encrypted with pass)
Run WhonixCheck
Run Anon Connection Wizard
Start Whonix Workstation (VM encrypted with pass)
Run WhonixCheck
Open Tor Go to NoScript Select untrusted
about:config set javascript.enabled to falce

Should I apply the steps in this guide on the tor browser?

I’m not planning on visiting onion sites with this setup, that’s what tails is for :smiley:
I just want to see what if my setup had security flaws.


#2

This is wrong. It implies all you need to do is string some words together to hit the 20-40 character range and you’re good. You would need 43 randomly generated characters for post-quantum security for a 256-bit passphrase.

Check our password guide:


#3

Custom settings can make you more fingerprintable.

https://www.whonix.org/wiki/DoNot#Change_Settings_if_the_Consequences_are_Unknown

https://www.privateinternetaccess.com/blog/2018/09/firefox-hardening-guide/

Looks interesting after a short look. I would hope that most if not all - for everything that makes sense - is the default in Tor Browser. If not, please check if it was reported upstream already, and if not report it. Getting all anonymity/security/privacy enhancing settings enabled by default in Tor Browser for everyone is the way to go - so everyone shares the same fingerprint.


#4

#5

Is there a way/ a guide how to change my encryption password, I dont want to reinstall the damn thing?


#6

Also this “calculator” shows me that my password’s entropy is 140 bits. Should i trust it?
http://rumkin.com/tools/password/passchk.php


#7

It seems like you’re already trusting them, if you gave them your password…!

By the way - they don’t even have SSL. So if anything is submitted (I didn’t check) it’s trivial for anyone on your network, or between you and the site, to get it. And I hope you didn’t type it in their search box, by mistake. That one goes straight to google.

And if you like their password strength generator, why not try their SSH Java applet…

Last note about this page - looks very amateurish… their “common passwords list” is very short and does not identify even the top 1,000, perhaps not even top 100 most common passwords. Passwords crackers will easily use top 10 million common passwords or more. I tried a few of those there and they are rated as “strong”. A joke.

For example, “passwordpassword” is rated as “strong” because it’s long enough and doesn’t appear on their list.

“This password is typically good enough to safely guard sensitive information like financial records.”

Well. Good luck with that…


#8

You can use cryptsetup-rencrypt

sudo cryptsetup-reencrypt <options> <device>

https://manpages.debian.org/experimental/cryptsetup-bin/cryptsetup-reencrypt.8.en.html

Keep in mind this is experimental. Make sure you create backups and verify them before you attempt to do this.

As sheep already mentioned you just gave your password away.


#9

I didnt type my actual password, I’m not that stupid

so is there a decent entropy calculator i can use?


#10

Would it be better if I add another password that’s longer?

My_password#Looks6something*likethis4But#Longer!5And(In0Foreign’language


#11

I mentioned some Libre Software ones in a forum discussion here (no claims about decency either yes/no):


#12

I’ve seen enough to know that people will do just that. Not because they are stupid, just inexperience. Securiy/anonymity is not easy, even for more experienced users.

Please See: https://whonix.org/wiki/Passwords#Principles_for_Stronger_Passwords


#13

I beg to disagree with some of those principles. They are good for cyborgs, not for humans.

Humans will have no capacity to remember long non-dictionary based passwords, and certainly not those that are “truly random”. It is just not going to happen. They will require a separate place to be stored, and that place of course should be protected at least as well.

What will it be? a sticky note on the screen? we hope not. A password manager on another device? similarly, the master password could be brute forced in the same way as the HD luks password. So we didn’t solve anything. Store it online with a mechanism that limits tries? new issues arise - user should trust the online service / the protection method to access the service / the host etc. Not good.

I think the realistic approach is:

  1. One, or only a few passwords, that can (and should) be remembered.
  2. All the rest - stored and protected by the above password/s.

Category 2 passwords can easily be long and truly random.
Category 1 passwords are the issue. Are 5-6 dictionary words, with say one special character at the beginning, another at the end, and another one as the delimiter between them, good for this purpose?


#14

There is. Use gnome-disks whcih has a GUI. You must never share your passwords with remote strength meters. Its very simple to come up with something with verifiably high entropy locally.


#15

Unnecessary since his key is not compromised. He does not need to change it just the passphrase it’s encrypted with.


#16

No. RTFM on our wiki password page. Also by leaking this infromation you just gave away a lot of info about your passphrase to potential enemies. Diceware is the way to go. Despite everything about how it works is known, The number of combinations is vast enough to overpower any type of computer they can come yup with.


#17

Read the rest of the page.
If 12 words from Diceware is too difficult then I’d argue you have nothing worth safeguarding anyway.