Random passwords are good practice, what isn’t good practice is following _specific password requirements_ like 10 characters 1 uppercase, 1 symbol because that _reduces your search space_. A 30 or 50 character password generated by your password manager is _always_ the most secure option, the longer the better. I generate passwords that go to the maximum the service allows.

Ideally all lowercase letters to make them easy to type when you need to use them in another device. Unfortunately, a lot of places don't allow that, preferring less secure and more inconvenient passwords.

“Password must be between 8 and 12 characters” ‍️

Also: Reminder to enable 2 factor authentication, of you haven't.

This is what you get for making me admin, I've gone mad with power, muhahahahaha! crimes o-o

Password managers are OK but I have hesitations on them personally. I'm leery of putting all my most high-value stuff in one place behind one password. What I do instead is memorize a truly unreasonable amount of passwords, though, which I recognize is not a reasonable expectation for others. For threat models in which you're not worried about in-person attacks, it may actually be a good idea to just write your passwords down, maybe keep your password book in something with a lock on it. I'm not advocating for any particular method, just putting it out there so people can make an informed decision.

Diceware is a method of generating random memorable passwords.

Basically what diceware does. It's just that humans are really bad at picking random words ("banana" is over represented, for instance) that's what diceware helps with.

I would suggest a password locker rather than just a generated passphrase.

'Pass word1! Oh, ' and spaces aren't allowed?

I used to use words from different vernaculars or languages. Sometimes i double check they are too abstract and weird to correct horse battery staple easily just because I'm a contrarian asshole snd thst helps me remember. exquisitevibrattoacquittalbevelschaudenfreude

Horse: "That's a battery staple." Man: "Correct!"

these are called pass *phrases* and yes, they tend to be way more secure at least until quantum computers render all traditional cryptography meaningless.

> I'm leery of putting all my most high-value stuff in one place behind one password. Most password managers can be set up to also require a keyfile and/or physical passkey to unlock their databases. A keyfile means someone couldn't get into your password database even if it got leaked and they knew the password (assuming you stored your keyfile separate from the database - the file and its location should be treated like a password itself), while a physical passkey makes it virtually impossible to breach the database unless someone steals the USB device.

Over the years, nobody has ever guessed my passwords, but four sites I was subscribed to were compromised and my email+password got leaked anyway. The strongest chain and the weakest link...

I guess what I mean is, it's a single point of failure. Usually an extremely strong one, granted.

Well good news then, because even throwing every quantum computer currently on the planet is not enough to factor 2048-bit RSA, and likely won't be in any currently alive human's lifetime.

Maybe with *current* quantum computers, but human technology tends to increase at an exponential rate so I doubt it will be long. Scientists are already trying to design post-quantum encryption for this very reason. https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards

And your memory is not a single point of failure?

> until quantum computers render all traditional cryptography meaningless. I'll cross that bridge when it actually happens.