does it seems necessary more than keepassxc?
i think waiting for keepassxc for buster is better (or you can add it from backend repo similar to Tails).
or you mean diceware for terminal use? (though it contains some high issues in debian package, maybe it will be fixed in next releases)
Could try these instructions. They are incomplete and might be a little to complicated for some user though.
I think we should encourage high risk users to default to physical creation of diceware passwords where possible (is already noted in wiki), and generally avoid software solutions, since it is inevitably flawed with ongoing and never-ending bugs, some of which will be shown to affect the security of ārandomā passwords generated by the said software in the futureā¦
I mean, if heavily scrutinized software like APT canāt get their shit right with http download confirmation/verification without a semi-trailer wide hole existing for many, many years, then the likelihood of the diceware package being solid as a rock is to be frank, minimal.
Realistically no one is going to use the physical way because it is more complex and it will only serve to clutter up the page and drive users away when they see a massive wall of text. To the paranoid they can just follow the link and do their thing.
Also this is fatalist logic. If āallā software is fatally flawed then even a safe password is no good for anything since the programs you will use it for can be bypassed. I disagree with this position because some things work better than others and have proved themselves in the field.
Source?
The complexity of diceware is probably orders of magnitude less than apt. It also depends on well vetted components like the Linux PRNG.
OK, you caught me in a fatalistic moment.
Although I disagree on a minor point i.e. superiority of physical measures for the most hard core.
As another example, if I wrap my One Time Pad message (which of course I created using - again - physical measures like dice at home, no software involved for the IN / OUT pads), inside encrypted email, then any interloper inside my system can learn SFA, even if they have backdoored every software and physical component of my home system.
That is, they would see indecipherable encrypted text get entered into Thunderbird in real timeā¦ well good for them (totally impractical I know for real life purposes, but just saying) 
Well if youāre willing to go that farā¦ why not also leave the note in a dead drop for your contact and burn it afterwards?
Computers can identify you and they can assign someone to follow you or break into your premises and steal your physically generated OTP.
True re: dead drop.
But I donāt think OTP is that far. Iāve tried it with generation of own pads, doesnāt take that long. If one meets their friends / colleagues on occasion and wants to really take their rights back, it is good to know I can have it using old techniques.
(Off topic) Philosophically, the modern propaganda insists we are powerless in the face of 3 letter agencies. That is false. More people need to realize it, when their communications are particularly super-private (rarely needed, but happens from time to time).
Further, since adversaries think they are omnipotent (wrong again), they will focus more effort and resources in cyber attacks over time. The corollary is less and less spent on physical interdictions and so on; increasing the success ratio of hybrid techniques in the process.
Itās just another technique to take advantage of their blindspot, resulting from their own delusions.
Anyway, I better not hijack this thread further.
Could you please review Passwords: Difference between revisions - Whonix @HulaHoop?
There is some interesting edits in the Passwords page, but IMO it would be better off in a āTechnical Notesā section or similar towards the bottom. Right now it overly complicates what should be a basic intro to principles of passwords that canāt be cracked easily.
Normal Whonix users are not mathematicians, so they donāt care for (nor will read, nor generally understand) all the points being made there. I think the tone of general forum help requests backs that point up.
Rejected. Too verbose and complicates what is mean to be a simple straightforward description and page. Also omitted some important references. In my PoV that page is pretty much complete and there isnāt much to really add or subtract from it.
More interestingly I want to know what the F is minentropy and what does it mean for password strength:
The wiki description is just as useless and complex as the paper on this.
Deleted some posts due to legal reasons.
All related wiki edits were removed due to potential copyright/licensing issues.