Git-Mirrors/anarsec.guide
1
0
Fork 0
mirror of https://0xacab.org/anarsec/anarsec.guide.git synced 2025-07-24 15:15:29 -04:00
Code Issues Projects Releases Packages Wiki Activity

fernweh translation, password recommendations

Browse source
This commit is contained in:
anarsec 2023-06-20 17:58:34 +00:00
parent 6d873a7669
commit 26a151f415
No known key found for this signature in database
3 changed files with 47 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

21
content/posts/tails-best/index.md
View file

@ -134,17 +134,28 @@ Another reason to not use Persistent Storage features is that many of them persi
#### Passwords
[Encryption](/glossary#encryption) is a blessing—it's the only thing standing in the way of our adversary reading all of our data, if it's used well. The first step to secure your encryption is to ensure that you use very good passwords—most passwords don't need to be memorized because they will be stored in a password manager called KeePassXC, so can be completely random (see [Password Manger](/posts/tails/#password-manager-keepassxc) to learn how to use it). In the terminology used by KeePassXC, a [*password*](/glossary/#password) is a randomized sequence of characters (letters, numbers and other symbols), whereas a [*passphrase*](/glossary/#passphrase) is a random series of words. Never reuse a password/passphrase for multiple things ("password recycling") - KeePassXC makes it easy to save unique ones that are dedicated to one purpose. For Tails, you will need to memorize two passphrases:
[Encryption](/glossary#encryption) is a blessing—it's the only thing standing in the way of our adversary reading all of our data, if it's used well. The first step to secure your encryption is to ensure that you use very good passwords—most passwords don't need to be memorized because they will be stored in a password manager called KeePassXC, so can be completely random. To learn how to use KeePassXC, see [Password Manger](/posts/tails/#password-manager-keepassxc).
>In the terminology used by KeePassXC, a [*password*](/glossary/#password) is a randomized sequence of characters (letters, numbers and other symbols), whereas a [*passphrase*](/glossary/#passphrase) is a random series of words.
Never reuse a password/passphrase for multiple things ("password recycling") - KeePassXC makes it easy to save unique ones that are dedicated to one purpose. LUKS encryption can be [brute-force attacked](/glossary#brute-force-attack) with [massive amounts of cloud computing](https://blog.elcomsoft.com/2020/08/breaking-luks-encryption/). Your passwords/passphrases should ideally have an entropy of around 128 bits (diceware passphrases of approximately **ten words**, or passwords of **21 random characters**) and shouldn't have less than 90 bits of entropy (approximately seven words).
What is a diceware passphrase? As [Privacy Guides notes](https://www.privacyguides.org/en/basics/passwords-overview/#diceware-passphrases), "Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`." The Password Generator feature in KeePassXC can generate diceware passphrases and random passwords. If you prefer to generate diceware passphrases using real dice, see [Privacy Guides](https://www.privacyguides.org/en/basics/passwords-overview/#diceware-passphrases).
Our recommendations are:
1) Memorize diceware passphrases of 7-10 words for anything that is not stored in a KeePassXC database
2) Generate passwords of 21 random characters for anything that can be stored in a KeePassXC database. Maintain an offsite backup of your KeePassXC database(s) in case it is ever corrupted or seized.
Diceware passphrases can be easy to forget when you have several to keep track of, especially if you use any irregularly. To mitigate against the risk of forgetting a diceware passphrase, you can create a KeePassXC file with all "memorized" passphrases in it. Store this on a LUKS USB, and hide this USB somewhere offsite where it won't be recovered during a police raid. You should be able to reconstruct both the LUKS and KeePassXC passphrases if a lot of time has passed. One strategy is to use a memorable sentence from a book - this decrease in password entropy is acceptable if the USB is highly unlikely to ever be recovered due to its storage location. This way, if you ever truly forget a "memorized" passphrase, you can access this offsite backup.
For Tails, you will need to memorize two passphrases:
1) The [LUKS](/glossary/#luks) 'personal data' USB passphrase, where your KeePassXC file will be stored
2) The KeePassXC passphrase
If you use Persistent Storage, that is another passphrase which will have to be entered on the Welcome Screen upon booting but it can be the same as 1.
Your passwords/passphrases should have an entropy of around 128 bits (passphrases of approximately ten words, or passwords of 21 random characters from the Password Generator in KeePassXC), and the ones you must memorize should be hard to forget. LUKS encryption can be [brute-force attacked](/glossary#brute-force-attack) with [massive amounts of cloud computing](https://blog.elcomsoft.com/2020/08/breaking-luks-encryption/), so your passwords/passphrases shouldn't be less than 90 bits of entropy (approximately seven words).
[Diceware passphrases](https://www.eff.org/dice) can be easy to forget when you have several to keep track of, but a similar option is to choose a book, turn to a memorable chapter title or sentence with at least ten words, and add on a word/number that is meaningful to you. This will be hard to forget even if months pass without using it because you can reference the book if your memory flags, and the appended meaningful word/number should be memorable. You can choose whether to remove spaces and capitalization, or to leave it exactly as is, or to reverse the word order, but be consistent across all of your passphrases.
#### Encrypted containers
[LUKS](/glossary#luks) is great, but 'defense-in-depth' can't hurt. If police seize your USB in a house raid, they can try to unlock it with a [brute-force attack to guess the password](/glossary#brute-force-attack), so a second layer of defense with a different encryption implementation can make sense for highly sensitive data.