password advice wiki page enhancements

does it seems necessary more than keepassxc?

i think waiting for keepassxc for buster is better (or you can add it from backend repo similar to Tails).

or you mean diceware for terminal use? (though it contains some high issues in debian package, maybe it will be fixed in next releases)

Could try these instructions. They are incomplete and might be a little to complicated for some user though.

1 Like

I think we should encourage high risk users to default to physical creation of diceware passwords where possible (is already noted in wiki), and generally avoid software solutions, since it is inevitably flawed with ongoing and never-ending bugs, some of which will be shown to affect the security of ā€œrandomā€ passwords generated by the said software in the futureā€¦

I mean, if heavily scrutinized software like APT canā€™t get their shit right with http download confirmation/verification without a semi-trailer wide hole existing for many, many years, then the likelihood of the diceware package being solid as a rock is to be frank, minimal.

Realistically no one is going to use the physical way because it is more complex and it will only serve to clutter up the page and drive users away when they see a massive wall of text. To the paranoid they can just follow the link and do their thing.

Also this is fatalist logic. If ā€œallā€ software is fatally flawed then even a safe password is no good for anything since the programs you will use it for can be bypassed. I disagree with this position because some things work better than others and have proved themselves in the field.

Source?

The complexity of diceware is probably orders of magnitude less than apt. It also depends on well vetted components like the Linux PRNG.

OK, you caught me in a fatalistic moment.

Although I disagree on a minor point i.e. superiority of physical measures for the most hard core.

As another example, if I wrap my One Time Pad message (which of course I created using - again - physical measures like dice at home, no software involved for the IN / OUT pads), inside encrypted email, then any interloper inside my system can learn SFA, even if they have backdoored every software and physical component of my home system.

That is, they would see indecipherable encrypted text get entered into Thunderbird in real timeā€¦ well good for them (totally impractical I know for real life purposes, but just saying) :wink:

Well if youā€™re willing to go that farā€¦ why not also leave the note in a dead drop for your contact and burn it afterwards?

Computers can identify you and they can assign someone to follow you or break into your premises and steal your physically generated OTP.

True re: dead drop.

But I donā€™t think OTP is that far. Iā€™ve tried it with generation of own pads, doesnā€™t take that long. If one meets their friends / colleagues on occasion and wants to really take their rights back, it is good to know I can have it using old techniques.

(Off topic) Philosophically, the modern propaganda insists we are powerless in the face of 3 letter agencies. That is false. More people need to realize it, when their communications are particularly super-private (rarely needed, but happens from time to time).

Further, since adversaries think they are omnipotent (wrong again), they will focus more effort and resources in cyber attacks over time. The corollary is less and less spent on physical interdictions and so on; increasing the success ratio of hybrid techniques in the process.

Itā€™s just another technique to take advantage of their blindspot, resulting from their own delusions.

Anyway, I better not hijack this thread further.

1 Like

Could you please review Passwords: Difference between revisions - Whonix @HulaHoop?

1 Like

There is some interesting edits in the Passwords page, but IMO it would be better off in a ā€˜Technical Notesā€™ section or similar towards the bottom. Right now it overly complicates what should be a basic intro to principles of passwords that canā€™t be cracked easily.

Normal Whonix users are not mathematicians, so they donā€™t care for (nor will read, nor generally understand) all the points being made there. I think the tone of general forum help requests backs that point up.

1 Like

Rejected. Too verbose and complicates what is mean to be a simple straightforward description and page. Also omitted some important references. In my PoV that page is pretty much complete and there isnā€™t much to really add or subtract from it.

1 Like

More interestingly I want to know what the F is minentropy and what does it mean for password strength:

The wiki description is just as useless and complex as the paper on this.

1 Like

Deleted some posts due to legal reasons.

1 Like

All related wiki edits were removed due to potential copyright/licensing issues.

1 Like