Do not let perfect be the enemy of good. Right now, people's password hygiene is not even "good".
Some specific criticisms:
> At a bare minimum you should be using a unique 32 character random alphanumeric on every website or service that you use.
Sometimes you have to type in a password, even if you use a password manager. Maybe you are using a public computer. 32 character passwords are laughable. NIST recommends 80 bits, that's ~14 characters. Entirely sufficient.
> Do not use online password services
If it means you're using different, reasonably strong passwords for all your accounts instead of just one password shared with everything, then PLEASE DO use an online password service. You will be vastly more secure.
Getting "normal" people to use good passwords means their password manager has to be super easy to use. LastPass is fine. 1Password is fine. Hell, even writing your passwords down in a book is fine, as long as you look after the book.
Thankfully, now that there is a lot more public awareness of infosec practices - driven in large part by there seemingly being a big infosec story every week - a lot of the best practices advice has been loosened towards the more practical.
In terms of password management, I agree with you completely - the default advice should be to use an online password manager. I've got my partner and most of my family using Dashlane and with near 100% unique password compliance.
That type of adoption with regular users would never have happen had I stuck to "keepass, diceware and 32 character unique passwords" level advice.
By encouraging different password habits, people will be better prepared for the future.
I have to question your expertise on this matter since you suggest writing passwords down in a book, as well as using online password databases, both are terrible ideas.
But I don't believe this is really a problem. As computers get faster, hashing can get slower. There is no upper limit on hash complexity.
Edit: This is your guide, isn't it? It would be ethical for you to disclose that, given that it has an advert for your business at the bottom.
In a week we learn, via HN, of the Last FM top 50 passwords (usual suspects, no surprises), and that 50% click on any link sent them moving the needle at all is more important than getting it to great.
I've come across many intelligent, successful, professionals who still reuse passwords, who still use child's name + random number for important things. Is using a book or online service a terrible idea compared to using steve36 for his domain registrar? What you call terrible at least moves the needle away from zero.
Also, can keepass generate secure passwords for you? That's something I love about lastpass.
UPDATE: also, how easy is it to use on an Android?
From what I understand, the encryption is done client-side per individual item (e.g. if you use a cloud provider, unencrypted data never touches them), but there's some generally questionable stuff in how it handles secure things: https://news.ycombinator.com/item?id=9727297
puts ((rand * 1_000_000_000).to_i.to_s + \
("a".."z").to_a.sample(10).join + \
("A".."Z").to_a.sample(10).join + "_")
You can save your passwords in a gpg'd text file if you want, though it usually doesn't matter that much. Just store them in chrome and use two-factor. If you get logged out just password reset to your email.
You're right though, it isn't perfect.
$ openssl rand -base64 25Passphrases are not passwords and I think they shouldn't be recommended for use as passwords.
Passphrases are fantastic for encryption keys, where trying to otherwise memorise a suitable amount of entropy to match the required strength would be almost impossible.
But passwords don't need to be 256 bit. If you're using a password manager it doesn't hurt to keep passwords as strong as each service will allow, but Diceware isn't the right tool for the job for passwords, because while it's great for memorizing one or two high entropy phrases, there's no way someone could be expected to memorize the dozens of passwords they use on a daily basis.
At which point you're back to bad solutions such as writing it down, using the same phrase everywhere or cheating on the lengths.
The only sane way to manage dozens of services in a way that doesn't bleed risk from one service compromise to the next is password managers.
At which point a 16-20 character password of random characters is more suitable than a passphase. It's harder to memorize if anyone happens to see it due to a miss-paste or whatever, it's easier to type in if you need to and it's less likely to suffer from "silent truncation" effects.
So use a password manager, use a diceware phrase to secure the master password (encryption) there, but allow the password managers to generate passwords which are short and random.
If you use diceware for everything you've got to remember all of those unique passphrases which defeats the whole point of diceware.
Where diceware shines is in creating a master password, which is explained in the guide.
That is a non-starter....
You sync your DB across multiple cloud services, and to decrypt you use a weak master pass and strong key.
I've been struggling with how to move that key around.
.1) Put it on a USB drive or hide it in your filesystem.
This is cumbersome and losing the drive could be disastrous. It's also trivial to scan a filesystem for key-like files.
.2) Use an authentication dongle.
This one is better but requires third party hardware in most cases, and is slightly expensive.
.3) Bluetooth/NFC to your device.
This can be intercepted at extended ranges as proven at defcon etc. Though is admittedly the most convenient method. The data can be signed, but I haven't seen anything out there that implements this well just yet.
.4) Timed one time passwords, PushBullet etc.
This feels like a bonus feature.
I'm not sure how to go about this. You lose or leak the key then you're screwed.
Is there a wristwatch or phone app with signed credential sharing based on wearer input, compatible to a standard?
Plugging my super simple passphrase generator built upon the EFF wordlist: https://spg.brashear.me