Need help with password/account management

I have recently setup a BIOS protected, full disk encryption, UKI, Secure Boot and TMP2 (with a pin) setup on linux-hardened kernel (alongside other tweaks) and it has hit me that I need to figure out a secure way of storing my passwords, especially extremely important ones (like TMP pin, BIOS password, LUKS password, etc) and my Proton accounts.

Previously I stored both of my Proton accounts passwords and one-time passcodes on Proton Pass, so if I lost access to my online Proton account, I would have been in a very very bad situation (which nearly happened).. so today I am asking for some feedback on my ideas/current progress! Just for context my threat model is to mitigate mass surveillance and to protect my data.

Side note, I do not have any physical hardware keys at the moment, I finally have access to some income and I definitely want to look into that (it could probably solve a lot of my problems xD)

Current Idea

My current idea is to store anything extremely important (LUKS password, etc) in a notebook that I always carry on me (with two backups, one stored in my house and one off-site), but change them in a specific order, lets say you generated a 16 character password on proton passes password generator (website) and you got:
ZhxB5?g@QeyNCj6E

I would then turn this into:
@g?5BxhZE6jCNyeQ and write it down.

The only issues that I see with this is if I either get into a very long coma and forget how to convert it back, lose the notebook (and my backups) at the same time or someone figures out the original password, there is also that one comic by xkcd that could also happen.. Plus I’m not sure if this is the best way to do this, but it’s what I have thought of so far based on my threat model.

Managing Proton Accounts/Password Manager

My Proton accounts are very important, on my internet account I pay for Proton Pass and that saves all of my passwords (including personal ones), and my personal account has my camera roll stored on it as a back up measure, plus important emails, etc. I log into these accounts on different firefox profiles with both having arkenfox hardening.

I have set up Ente Auth to store both of my Proton accounts one-time passcodes, and in the note section I store the password in the same process as above. The password to Enth Auth will be memorized and I have only temporarily written it down so I can memorize it. Yet again only issue I see with this is if I get into a coma or that one xkcd comic.

I have got my Ente Auth recovery code, alongside both of my Proton recovery codes, but I am at a lost on where to store them. They are just written on a piece of paper right now, and this also goes for the TMP recovery key.. I could store the TMP recovery key in the notebook (and on the backups), and store the Ente and Proton recovery codes on my laptop, but then I would need to figure out how to back up the Ente and Proton recovery codes.

The End

And that’s it! I think I’ve covered everything.. if you have any feedback/recommendations I would really appreciate you sharing, I haven’t tried to come up with a system like this before so I thought id share and see if I’m on track, or if I have missed anything critical/important c:

This is by far not an exhaustive response. It also is not coming from an expert. These statements are just my opinions.

I don’t think carrying around a physical notebook like that is a great idea. Your mileage may vary, but the risk of it being lost or stolen could put you in a very bad situation. I knew someone who kept all their passwords in a notebook in their bag… they also regularly left their bag unattended.

I think you should have physical records of absolutely crucial information (like recovery keys and such), and should probably use some variation of the 3-2-1 rule that is used for backups (3 copies including the original, 2 storage mediums, 1 copy off-site). If you have a safe, use that (even if you lose your memory, as long as you have some way of knowing to look inside the safe, a physical safe can always be physically compromised). Ideally, have at least one other person you can absolutely trust. That said…

I think you definitely should not try to do any mental tricks on these records. If you are unfortunate enough to lose your memory (or just forget), you aren’t necessarily going to have any warning before it happens. This is just creating extra risk of data loss.

I think the recovery codes should be stored as described above.

Other thoughts:

I think you should print out paper copies of your important information rather than writing by hand. You may not be able to read your own handwriting in the future, the ink/graphite may smudge, etc. Use a legible font with clear distinctions between often confusing characters (i vs I vs l vs 1, 0 vs o vs O, etc). If you can, laminate them too.

There’s this experimental tool I know of called paperback. I haven’t reviewed the code and it IS experimental, so don’t go blindly using it, but it is supposed to be a tool for making encrypted backups printed on paper that you can share “key shards” for with multiple people, where no single person can decrypt the backup with their shard alone.

The technique I use is that I use diceware passwords for things that I have to log into frequently like sudo or luks. You will remember the passwords pretty soon after typing them all the time. If there is a password for something that is less commonly used (like a less commonly used veracrypt volume) but I don’t want to wall off behind a password manager for various reasons I use a stateless password manager such as https://spectre.app/ as mentioned above, lesspass is another one.

Thanks for the response, I think it fully hit me that asking for feedback is always a good idea lol

I did mention that there where issues with using the notebook, and after taking a step back for a few hours it really isn’t the best idea.. including the modifying of passwords idea. Even with backups it doesn’t make much sense xd

I think printing out my important recovery codes (Proton accounts, Ente Auth, TMP) is probably the best idea and in hindsight I should have thought of this myself, the only issue now is finding a place that I can trust to print out the papers because I don’t own a printer. But I always have backups and am gonna plan to give a copy to someone I extremely trust, and I don’t have a safe so somewhere in my house will have to do for now.

Also, paperback also sounds like such a cool project, I shall look into it further! And thanks for you’re response again c:

I only recommend it for 1 or 2 logins not full replacement of password manager.

Yes I don’t agree with all the hate on stateless/deterministic password managers, especially for offline things like Veracrypt volumes on physical drives that you’d want to be able to have access to in an emergency or anything where you would not want to be locked out of if you lost access to your main passwords, for example syncthing backup passwords.

I think you’re making a couple understandable mistakes here I want to explain the flaws in them individually, and then get to a solution I think addresses all of them. Hopefully the way I’m writing this will make sense. Any risks of course depend on your threat model, and you might be willing to accept them, but I think you should make sure to understand them fully.

This is good for reliability, but not good for confidentiality considering the content of these notebooks are, as you said, extremely important secrets in effectively plaintext. You will not have any control over or even knowledge of another person accessing these secrets while you’re not around.

This doesn’t provide any significant security. If an attacker knows what specific characters your password consists of but just not the exact real sequence, unless it is of an absurd length to the point you will have a hard time reconstructing it yourself, there is very little actual entropy that needs to be brute forced.

One bit of entropy for being reversed, and then like 4 (I’m not a mathemetician so maybe not exactly) for the split location. If they can figure out you’re pulling a trick along these lines, even without knowing specifically, a smart attacker can brute force the real password in seconds.

I also don’t understand the point of this because then you still need to commit something somewhat complex for a human to remember to memory: the actual pattern you used.

What you should be doing instead is generate a sufficiently long diceware passphrase for these couple of things you need to be able to access without your password manager (I’d imagine just your master password really, maybe also LUKS password as a separate one), and commit those to memory, never writing them down. Everything else store in a password manager. Passphrases are long and secure but easy to remember because human minds are very good at remembering sequences of words, even if they’re random.

7+ words should be sufficiently safe for anything using a modern KDF (both your password manager and LUKS should), even assuming the attacker knows you’re using a diceware passphrase.

E.g., conjoined sterling securely chitchat spinout pelvis rice (taken^[1] from Wikipedia)

1. kind of, their examples are 6 words ↩︎

Thank you to everyone who has replied! The feedback has been very helpful, marked as solved now c: