password advice wiki page enhancements


does it seems necessary more than keepassxc?

i think waiting for keepassxc for buster is better (or you can add it from backend repo similar to Tails).

or you mean diceware for terminal use? (though it contains some high issues in debian package, maybe it will be fixed in next releases)


Could try these instructions. They are incomplete and might be a little to complicated for some user though.


I think we should encourage high risk users to default to physical creation of diceware passwords where possible (is already noted in wiki), and generally avoid software solutions, since it is inevitably flawed with ongoing and never-ending bugs, some of which will be shown to affect the security of “random” passwords generated by the said software in the future…

I mean, if heavily scrutinized software like APT can’t get their shit right with http download confirmation/verification without a semi-trailer wide hole existing for many, many years, then the likelihood of the diceware package being solid as a rock is to be frank, minimal.


Realistically no one is going to use the physical way because it is more complex and it will only serve to clutter up the page and drive users away when they see a massive wall of text. To the paranoid they can just follow the link and do their thing.

Also this is fatalist logic. If “all” software is fatally flawed then even a safe password is no good for anything since the programs you will use it for can be bypassed. I disagree with this position because some things work better than others and have proved themselves in the field.


The complexity of diceware is probably orders of magnitude less than apt. It also depends on well vetted components like the Linux PRNG.


OK, you caught me in a fatalistic moment.

Although I disagree on a minor point i.e. superiority of physical measures for the most hard core.

As another example, if I wrap my One Time Pad message (which of course I created using - again - physical measures like dice at home, no software involved for the IN / OUT pads), inside encrypted email, then any interloper inside my system can learn SFA, even if they have backdoored every software and physical component of my home system.

That is, they would see indecipherable encrypted text get entered into Thunderbird in real time… well good for them (totally impractical I know for real life purposes, but just saying) :wink:


Well if you’re willing to go that far… why not also leave the note in a dead drop for your contact and burn it afterwards?

Computers can identify you and they can assign someone to follow you or break into your premises and steal your physically generated OTP.


True re: dead drop.

But I don’t think OTP is that far. I’ve tried it with generation of own pads, doesn’t take that long. If one meets their friends / colleagues on occasion and wants to really take their rights back, it is good to know I can have it using old techniques.

(Off topic) Philosophically, the modern propaganda insists we are powerless in the face of 3 letter agencies. That is false. More people need to realize it, when their communications are particularly super-private (rarely needed, but happens from time to time).

Further, since adversaries think they are omnipotent (wrong again), they will focus more effort and resources in cyber attacks over time. The corollary is less and less spent on physical interdictions and so on; increasing the success ratio of hybrid techniques in the process.

It’s just another technique to take advantage of their blindspot, resulting from their own delusions.

Anyway, I better not hijack this thread further.