mirror of
https://0xacab.org/anarsec/anarsec.guide.git
synced 2025-06-08 23:02:55 -04:00
argon2id
This commit is contained in:
parent
26a151f415
commit
072543235c
2 changed files with 6 additions and 4 deletions
|
@ -138,7 +138,9 @@ Another reason to not use Persistent Storage features is that many of them persi
|
|||
|
||||
>In the terminology used by KeePassXC, a [*password*](/glossary/#password) is a randomized sequence of characters (letters, numbers and other symbols), whereas a [*passphrase*](/glossary/#passphrase) is a random series of words.
|
||||
|
||||
Never reuse a password/passphrase for multiple things ("password recycling") - KeePassXC makes it easy to save unique ones that are dedicated to one purpose. LUKS encryption can be [brute-force attacked](/glossary#brute-force-attack) with [massive amounts of cloud computing](https://blog.elcomsoft.com/2020/08/breaking-luks-encryption/). Your passwords/passphrases should ideally have an entropy of around 128 bits (diceware passphrases of approximately **ten words**, or passwords of **21 random characters**) and shouldn't have less than 90 bits of entropy (approximately seven words).
|
||||
Never reuse a password/passphrase for multiple things ("password recycling") - KeePassXC makes it easy to save unique ones that are dedicated to one purpose. [LUKS](/glossary/#luks) encryption **is only effective when the device is powered down** - when the device is on, the password can be retrieved from memory. Any encryption can be [brute-force attacked](/glossary#brute-force-attack) with [massive amounts of cloud computing](https://blog.elcomsoft.com/2020/08/breaking-luks-encryption/). The newer version of LUKS (LUKS2 using Argon2id) is [less vulnerable to brute-force attacks](https://mjg59.dreamwidth.org/66429.html); this is the default from [Tails 5.13](https://tails.boum.org/security/argon2id/index.en.html) onwards, and Qubes OS 4.1 onwards. If you'd like to learn more about this change, we recommend [Systemli's overview](https://www.systemli.org/en/2023/04/30/is-linux-hard-disk-encryption-hacked/).
|
||||
|
||||
Password strength is measured in "[bits of entropy](https://en.wikipedia.org/wiki/Password_strength#Entropy_as_a_measure_of_password_strength)". Your passwords/passphrases should ideally have an entropy of around 128 bits (diceware passphrases of approximately **ten words**, or passwords of **21 random characters**) and shouldn't have less than 90 bits of entropy (approximately seven words).
|
||||
|
||||
|
||||
What is a diceware passphrase? As [Privacy Guides notes](https://www.privacyguides.org/en/basics/passwords-overview/#diceware-passphrases), "Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`." The Password Generator feature in KeePassXC can generate diceware passphrases and random passwords. If you prefer to generate diceware passphrases using real dice, see [Privacy Guides](https://www.privacyguides.org/en/basics/passwords-overview/#diceware-passphrases).
|
||||
|
@ -147,7 +149,7 @@ Our recommendations are:
|
|||
1) Memorize diceware passphrases of 7-10 words for anything that is not stored in a KeePassXC database
|
||||
2) Generate passwords of 21 random characters for anything that can be stored in a KeePassXC database. Maintain an offsite backup of your KeePassXC database(s) in case it is ever corrupted or seized.
|
||||
|
||||
Diceware passphrases can be easy to forget when you have several to keep track of, especially if you use any irregularly. To mitigate against the risk of forgetting a diceware passphrase, you can create a KeePassXC file with all "memorized" passphrases in it. Store this on a LUKS USB, and hide this USB somewhere offsite where it won't be recovered during a police raid. You should be able to reconstruct both the LUKS and KeePassXC passphrases if a lot of time has passed. One strategy is to use a memorable sentence from a book - this decrease in password entropy is acceptable if the USB is highly unlikely to ever be recovered due to its storage location. This way, if you ever truly forget a "memorized" passphrase, you can access this offsite backup.
|
||||
> **Tip**: Diceware passphrases can be easy to forget when you have several to keep track of, especially if you use any irregularly. To mitigate against the risk of forgetting a diceware passphrase, you can create a KeePassXC file with all "memorized" passphrases in it. Store this on a LUKS USB, and hide this USB somewhere offsite where it won't be recovered during a police raid. You should be able to reconstruct both the LUKS and KeePassXC passphrases if a lot of time has passed. One strategy is to use a memorable sentence from a book - this decrease in password entropy is acceptable if the USB is highly unlikely to ever be recovered due to its storage location. This way, if you ever truly forget a "memorized" passphrase, you can access this offsite backup.
|
||||
|
||||
For Tails, you will need to memorize two passphrases:
|
||||
|
||||
|
@ -193,7 +195,7 @@ PGP email is the most established form of encrypted communication on Tails in th
|
|||
|
||||
For [synchronous](/glossary/#synchronous-communication) messaging—when you are both online at the same time—we recommend [Cwtch](/posts/e2ee/#cwtch) for encrypted communications on Tails.
|
||||
|
||||
For [asynchronous](/glossary/#asynchronous-communication) messaging—when you are not online simultanelously—we recommend [Element](/posts/e2ee/#element-matrix). What server you use is important as well—[Systemli](https://www.systemli.org/en/service/matrix/) and [Anarchy Planet](https://anarchyplanet.org/chat.html) are reputable hosts.
|
||||
For [asynchronous](/glossary/#asynchronous-communication) messaging—when you are not online at the same time—we recommend [Element](/posts/e2ee/#element-matrix). What server you use is important as well—[Systemli](https://www.systemli.org/en/service/matrix/) and [Anarchy Planet](https://anarchyplanet.org/chat.html) are reputable hosts.
|
||||
|
||||
For more information on either option, see [Encrypted Messaging For Anarchists](/posts/e2ee/).
|
||||
|
||||
|
|
|
@ -9,7 +9,7 @@ These recommendations are intended for all anarchists and are accompanied by tut
|
|||
|
||||
## Phones
|
||||
|
||||
>**[Operating system](/glossary#operating-system-os)**: **GrapheneOS** is the only reasonably secure choice for cellphones. See [GrapheneOS for Anarchists](/posts/graphene/). Better yet, [don't have a phone](/posts/nophones/).
|
||||
>**[Operating system](/glossary#operating-system-os)**: **GrapheneOS** is the only reasonably secure choice for cellphones. See [GrapheneOS for Anarchists](/posts/grapheneos/). Better yet, [don't have a phone](/posts/nophones/).
|
||||
|
||||
Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support). If this is not possible for you, [DivestOS](https://www.privacyguides.org/en/android/#divestos) has more [supported devices](https://divestos.org/pages/devices) and it is significantly better than stock Android.
|
||||
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue