Remembering device and master passwords

I am in the process of replacing my reused passwords with randomly generated passwords stored in my password manager. However, there are some passwords my password manager cannot remember for me, since I need to remember them to be able to access my password manager:

  • master password
  • user account password for each of my devices
  • disk encryption password for each of my devices

For example, if I have 5 devices, I would have 11 6-word passphrases to remember, which is a lot. Is it possible to remember them all?

  • If yes, what are your strategies for remembering so many passwords?
  • If no, which passwords do you reuse?
    • Is it safe to reuse the same password for disk encryption and user account of the same device?
    • Is it safe to reuse the same password across multiple devices?
    • Is it a good idea to store device passwords on another device, and look up passwords on that other device whenever you need to turn on a device?
      • In this case, you would presumably remember the password of 1 device you bring outside, and the password of 1 device left at home in case you lose the other device.

I would like to remember no more than 3 6-word passphrases, if possible.

It’s probably best to make those different but ideally your online account would use passkeys or something instead of a password. If you have some proper 2FA set up like a FIDO hardware key then the password doesn’t matter all that much.

If you have a strong password, your device passwords aren’t leaving your devices so it’s not as risky to reuse them. You can enable biometrics to reduce the amount of times you type your password in public.

This is essentially just the same as reusing passwords with extra steps. If you’re going to do this then a compromise of one device will compromise your other devices by proxy, so just have one strong password that you use on all your devices at that point.

Like @fria mentioned, I simply reuse some passphrases for disk encryption as they don’t leave my device. Consider doing the same if that also applies to you.

Subsequently, since the root filesystem is already protected by a strong passphrase, I just used pwgen to create one with a satisfactory amount of entropy that’d also be easier to remember. Depends on your threat model I guess, but if an attacker had access to /etc/shadow, then they either have the disk encryption password (making password strength of the user account irrelevant) or they already have root access

It’s easy enough to make a decent passphrase with pwgen

It helped that I memorized different passphrases over the course of years, to be fair. Memorizing multiple 6-word passphrases in the short term sounds hard

For various encrypted drives or file containers, I use the same set of passphrases

It depends on your setup, but I wouldn’t. Partially because of what I said above, also partially because an improperly-secured Linux computer can easily have the password compromised in a number of ways

as long as you trust the devices themselves

For phones, if you do not enable biometrics for ~6 months, muscle memory will take over. For computers & master passwords have you considered hardware password managers/keyboard emulators? Still use my onlykey to this day for certain devices.

Welcome!

It is possible to remember those passwords but it may be difficult and risky. Committing them to memory will take time, and if you forget one of the passwords it will cause you trouble.

Like what others mentioned, you may be able to explore ways to reuse some of those passwords in a way that doesn’t decrease security.

As a failsafe in case you forget one or more passwords, using KeePass, OpenPGP or some other reputable data encryption software, you can encrypt all your master passwords, and password protect and store the data in such a way that accessing the data requires a certain number of your master passwords. For instance you could require knowledge of three of those 11 passwords, and once you have committed your passwords to memory you could then change it to require for instance six of the 11 passwords; or delete the encrypted data if you’re confident. However this depends on whether your threat model can safely allow such a system. If a state that coerces people to decrypt data is part of your threat model, you probably will not want to do this.

You will then need to practice entering your passwords regularly over time. The simplest and surest way is to practice entering your passwords by accessing your own devices, data and accounts. Without biometrics or anything else of course.

Password managers like Bitwarden have a tool to generate random 4 word passphrases.

Make a story for the words in your head, to help remember them. Stories are crazy good for that. The story does not need to make sense.

See this xkcd on why it safe xkcd: Password Strength

And the other strategy is, use them often. I can still remember the Bitwarden password of my old work place from two years ago thanks to these two things.

Alternatively, like freya said, use Passkeys. They are phishing resistant as well. I have a locally stored passkey on each device for my password manager.

It would be enough to only remember your phone’s password and your masterpassword and then save all other password’s there.

I imagine everyone else will rightfully denounce this as terrible advice, but having the passwords written down and stored in a safe as a backup could be an option.

Muscle memory, which means that all of those devices must be frequently rotated. If you neglect one or more devices, it will be more difficult to recall the password when you access it next time.

Thanks for all your replies. Since the responses are quite varied, I’ll try to summarise them:

@fria

  • different password for disk encryption and user account
  • same password across devices
  • turn on biometrics to avoid shoulder surfing

This is essentially just the same as reusing passwords with extra steps. If you’re going to do this then a compromise of one device will compromise your other devices by proxy, so just have one strong password that you use on all your devices at that point.

From my understanding, the idea of a password manager is to reduce the attack surface by only having to guard one entry point that contains the keys to everything else, instead of reusing keys and having multiple entry points accessible with the same key.

@nyanite23

  • different password for disk encryption and user account
  • same password across devices

@Litigated

  • hardware password managers/keyboard emulators
  • turn off biometrics for phones for 6 months

@beantaco

  • just remember them
  • allow recovery with x out of y passwords
  • turn off biometrics

@shadowwwind

  • just remember them

@Archer

  • use one device to store device passwords for other devices

@Gopher

  • just remember them
  • allow recovery with written passwords stored in safe
  • must remember safe password

@FranklyFlawless

  • muscle memory

Given everyone’s replies so far, I have decided on

  • turn on biometrics for devices brought outside as shoulder surfing is a much more likely threat in my threat model
  • type passwords at home to remember them, including on devices with biometrics
  • use different password for disk encryption and user account
  • begin by reusing the same passwords across devices until i remember them, then optionally replace with unique passwords if I still have mental capacity

Solid plan and strategy, good luck on your privacy and security journey.

You won’t be able to memorize your most important passwords right away; it might take several months. Write down your main passwords on a piece of paper and hide them so that they won’t be found if your home is searched.

Why can’t you save these in your password manager?

I would argue that as long as you have multiple devices with your password manager installed , you should be safe. Even if you didn’t, most password managers would easily allow you to login on the device of someone you trust. The exception being 1Password, because they also require a security key when you log in for the first time on a new device. It’s still possible, but there are more obstacles.

There are also secure ways to write and safely store your passphrase on a physical piece of paper, just in case.

My approach is I use proton pass for all my passwords, aliases and 2fa. My proton accounts password are stored in an offline password manager that I put on each of my devices (PearPass) and set up manually. And the 2fa for those accounts go in Ente Auth.

So all day everyday is proton. Easy. To get into proton I use PearPass and enter which can be set up as biometric or pin. As they are offline I am only worried about physically protecting them as opposed to brute force attacks online

I am likely to be on that boat very soon with 1Password increasing their prices.

:smiling_face_with_sunglasses:

Never heard of PearPass, but it looks cool.
Is it 100% free or do they have a paid tier?

QUESTION FOR EVERYBODY:

Do you use a Passphrase for your computer? If yes, how do you remember it?

All my passwords, insurance card, and other forms of sensitive information are in Proton Pass. You can manually add passwords for instances like yours, and you just have to open Proton Pass & look up your passwords as needed.

I would NOT use it for 2FA personally. I use Aegis (may be Android only) for 2FA.

You can use Proton Authenticator (separate app) but I would NOT sync it to Proton. If you do, I think you can set up an additional form of authentication within the app!

Yes, see my above response.

I think I could probably remember 2 passphrases. Bug having to remember more would be too much. Even with 2, I would definitely have to write them down on a piece of paper just in case.

But yes, like you said, if you stop using the device you unlock every day, you will forget the passphrase.

With all that being said, beyond muscle memory, don’t you find it annoying to have to type a passphrase for your computer every day?

I’m not annoyed with having to type my password manager’s passphrase every day on my computer. But I think I would get frustrated if I had to do it with my PC too.

No, it is no different from other hygienic practices, and it ceases being a menial chore when I define a workflow that works for me instead of following external password policies.