I am probably sharing too much information, but in case I’m under protected:
My router is RT-AX86U Pro with Asuswrt-Merlin. My hope is this is a smart choice.
1 Like
It’s probably a smart choice given that you’re on the latest “ng” version of Asuswrt-Merlin and not the legacy one although I honestly don’t know enough about it. Routers that run OpenWRT are recommended around here which I think are the best choice.
1 Like
Overall I’d say that your local password for your computer doesn’t need to be super long and hardcore especially if you use a Password Manager with a strong master password for everything else.
There are plenty of other ways to be deceived and the chance of having somebody breach you locally is falling under the 1% chance[1] so having something like 10/15 characters with a few symbols and not your mom/dog/girlfriend’s name is definitely good enough. 
Try to meanwhile not reuse it for everything, like it shouldn’t go beyond just unlocking your PC. Keep using a PW manager for anything like Asus Admin UI login or anywhere else where you can easily paste your thing.
If you’re really concerned about security and want to keep convenience, you can throw some money into it: buy a Yubikey and require it to be pressed to be able to login to your session. That way, it’s casual password + physical device.
An example on how to achieve that: Passwordless logins with Yubikey
I think that OP is knowledgeable enough given their messages above and if they keep their Asus router up to date, it’s definitely a fine enough solution that doesn’t require them to buy anything else as of today considering diminishing returns.
increase that percentage based on the people around you and how ill intentioned they might be based on your own convenience ofc
↩︎
2 Likes
Thank you for this response and guidance. Greatly appreciated!
I am not sure this is good advice. If you already have a password manager there is no reason to be lazy about having a strong password. There is no situation where a strong password is worse then a weak password.
SInce there is really no good reason to not have a password manager, if having a password is the only option for security, there is no good reason to not have a strong password.
Maybe I am misunderstanding and there is less of a difference between a “casual” password and a “strong” password then I think.
This is made up garbage. Why make up bs stats? What does this add? This kind of casual misinformation is really problematic on forums that are trying to help people.
2 Likes
I think you are. Well, I guess it depends on what you take…
… to be. What @kissu refers to as “strong” passwords is probably something like a lengthy (20+ characters) set of randomized characters. And “casual” probably means something like “memorable and easily typed,” rather than outright weak. Something that is casual can still be sufficiently strong even though it is not a lengthy randomized set of characters, in my opinion.
I think the recommenation that they made was decent, but I would actually recommend further: two or more random words, two or more random symbols, and two or more random numbers. Put this in any order and the strength is easily around the 40-60 bits range, at least based on what KeePassXC tells me. Something like this is casual (memorable + easily typed) yet sufficiently strong for what a user password requires (40-60 bit range, based on KeePass).1
1: Although, that bit range is based on if an attacker guesses the password via bruteforcing every random set of characters. It might be lower or higher depending on their method of cracking. We would have to look at how modern malware/network attacks historically cracks passwords to get a feel of whether this is good or bad advice. But this is getting into advanced territory, which is beyond the scope of this thread since it’s ELI5. I also have nothing further to offer since this is beyond my scope of expertise.
1 Like
Good luck typing
asb=SW;N%uAm)G0cw9(<#fDV6E=$+c>5c0bb#x]p5p!Z27$KQE<kgAy3sbx&jh:
every time you want to unlock your iPhone or Macbook[1].
I’d also be very curious to know what even are the benefits in that situation.
Yes, this is the kind that password managers will generate.
Is it anyhow friendly to type or even useful in this context? Not really.
3Obedience8! might be good enough of a password for your phone/laptop tho.[2]
Just like a PIN code on your phone that is 6+ digits is good enough, yet it would be better if it’s 12+. At the same time, I’m not sure how long you’ll be able to bear typing 12 digits on a daily basis.[3]
Sure, I do not have any strong data mining to support my claim besides “I never heard from anybody in my known people that got hacked at home by some random guest”.
Also, it is not likely to happen because hackers would rather just try to get to you remotely rather than figure out where you live and take a plane to then lock pick your door. No accurate data scientist here, but common sense nonetheless.
At the same time, if you’re careless and let people eavesdrop while you type your PIN/password while at a party, then yeah. But it’s more of a social engineering/real life OPSec in that situation.
But again, common sense here too. Also maybe don’t invite people that you do hate or that want you in a bad situation at your place to begin with. 
Yes to @anon36227541.
Entropy is a huge topic and I am no math expert to explain it further given it’s a please-eli5 but a casual read of the Diceware could be helpful to everybody I think. Then spray a bit of daily friction + threat modeling to find out how far you want to go.
And if your casual password to login into your phone/laptop is Fancy-Cowboy-That-Rolls-420 and you can live with that, perfect then. 
feel free to come back here to say how frustrating of an experience it is once you typo’ed it 5 times ↩︎
unless you’re really into BDSM and it’s an obvious one
, I took random ideas from Proton’s generator ↩︎good way to detox your phone usage for sure or nice if you have a high threat model ↩︎
Just want to point out that the thing that makes a 6 digit numeric PIN acceptable on a phone is the hardware ratelimiting, otherwise it would be terrible.
That’s where biometrics come in. They also protect you against shoulder-surfing attacks.
1 Like
What do you mean?
Rate limiting only comes in for PIN, not for other ways to unlock your phone?
Back in the days it was probably awful if you could brute force your way in yes, but we’re in 2026 almost so we’re good. 
I learned the hard way that privacy screens do not work with fingerprints (at least on the Pixel 9a given it’s not the flagship kind of sensor). 
The rate limiting works for alphanumeric passwords too but what I’m saying is the only reason a 6 digit PIN is remotely secure on a phone is because of the rate limiting.
Weird, does it not have the ultrasonic sensor? Regardless there’s also face unlock but Google refuses to put secure face unlock hardware in their phones anymore.
1 Like
Nah it’s the basic one.
Quoting GSMArena
Sensors: Fingerprint (under display, optical)
Honestly, I’d rather PIN than face unlock most of the time. But yes, biometrics security is another topic entirely.
Obviously that would be an obnoxious password to try and use with a device but, its also not the only option.
Any decent password manager will also generate a passphrase instead which will be strong and avoid the example you refer too.
I mostly agree because of what @fria pointed out. I do still get the sense that you put more weight on convenience even if it sacrifices security when it comes to passwords. Which is going to be a different balance for everyone.
This is what we would call “perceived risk” then. Typically, regardless of a perceived risk the best practice is to have a strong password / passphrase.
I would still suggest making it clear to people that when you make that statement, thats your experience and not a data driven statistic, or just avoid those silly comments as its basically fluff to an otherwise well written comment.
It seems like most of this may have been a misunderstanding as @anon36227541 explained.