I am in the process of replacing my reused passwords with randomly generated passwords stored in my password manager. However, there are some passwords my password manager cannot remember for me, since I need to remember them to be able to access my password manager:
master password
user account password for each of my devices
disk encryption password for each of my devices
For example, if I have 5 devices, I would have 11 6-word passphrases to remember, which is a lot. Is it possible to remember them all?
If yes, what are your strategies for remembering so many passwords?
If no, which passwords do you reuse?
Is it safe to reuse the same password for disk encryption and user account of the same device?
Is it safe to reuse the same password across multiple devices?
Is it a good idea to store device passwords on another device, and look up passwords on that other device whenever you need to turn on a device?
In this case, you would presumably remember the password of 1 device you bring outside, and the password of 1 device left at home in case you lose the other device.
I would like to remember no more than 3 6-word passphrases, if possible.
It’s probably best to make those different but ideally your online account would use passkeys or something instead of a password. If you have some proper 2FA set up like a FIDO hardware key then the password doesn’t matter all that much.
If you have a strong password, your device passwords aren’t leaving your devices so it’s not as risky to reuse them. You can enable biometrics to reduce the amount of times you type your password in public.
This is essentially just the same as reusing passwords with extra steps. If you’re going to do this then a compromise of one device will compromise your other devices by proxy, so just have one strong password that you use on all your devices at that point.
Like @fria mentioned, I simply reuse some passphrases for disk encryption as they don’t leave my device. Consider doing the same if that also applies to you.
Subsequently, since the root filesystem is already protected by a strong passphrase, I just used pwgen to create one with a satisfactory amount of entropy that’d also be easier to remember. Depends on your threat model I guess, but if an attacker had access to /etc/shadow, then they either have the disk encryption password (making password strength of the user account irrelevant) or they already have root access
It’s easy enough to make a decent passphrase with pwgen
It helped that I memorized different passphrases over the course of years, to be fair. Memorizing multiple 6-word passphrases in the short term sounds hard
For various encrypted drives or file containers, I use the same set of passphrases
It depends on your setup, but I wouldn’t. Partially because of what I said above, also partially because an improperly-secured Linux computer can easily have the password compromised in a number of ways
For phones, if you do not enable biometrics for ~6 months, muscle memory will take over. For computers & master passwords have you considered hardware password managers/keyboard emulators? Still use my onlykey to this day for certain devices.
It is possible to remember those passwords but it may be difficult and risky. Committing them to memory will take time, and if you forget one of the passwords it will cause you trouble.
Like what others mentioned, you may be able to explore ways to reuse some of those passwords in a way that doesn’t decrease security.
As a failsafe in case you forget one or more passwords, using KeePass, OpenPGP or some other reputable data encryption software, you can encrypt all your master passwords, and password protect and store the data in such a way that accessing the data requires a certain number of your master passwords. For instance you could require knowledge of three of those 11 passwords, and once you have committed your passwords to memory you could then change it to require for instance six of the 11 passwords; or delete the encrypted data if you’re confident. However this depends on whether your threat model can safely allow such a system. If a state that coerces people to decrypt data is part of your threat model, you probably will not want to do this.
You will then need to practice entering your passwords regularly over time. The simplest and surest way is to practice entering your passwords by accessing your own devices, data and accounts. Without biometrics or anything else of course.
And the other strategy is, use them often. I can still remember the Bitwarden password of my old work place from two years ago thanks to these two things.
Alternatively, like freya said, use Passkeys. They are phishing resistant as well. I have a locally stored passkey on each device for my password manager.
I imagine everyone else will rightfully denounce this as terrible advice, but having the passwords written down and stored in a safe as a backup could be an option.
Muscle memory, which means that all of those devices must be frequently rotated. If you neglect one or more devices, it will be more difficult to recall the password when you access it next time.
different password for disk encryption and user account
same password across devices
turn on biometrics to avoid shoulder surfing
This is essentially just the same as reusing passwords with extra steps. If you’re going to do this then a compromise of one device will compromise your other devices by proxy, so just have one strong password that you use on all your devices at that point.
From my understanding, the idea of a password manager is to reduce the attack surface by only having to guard one entry point that contains the keys to everything else, instead of reusing keys and having multiple entry points accessible with the same key.
Given everyone’s replies so far, I have decided on
turn on biometrics for devices brought outside as shoulder surfing is a much more likely threat in my threat model
type passwords at home to remember them, including on devices with biometrics
use different password for disk encryption and user account
begin by reusing the same passwords across devices until i remember them, then optionally replace with unique passwords if I still have mental capacity
You won’t be able to memorize your most important passwords right away; it might take several months. Write down your main passwords on a piece of paper and hide them so that they won’t be found if your home is searched.
Why can’t you save these in your password manager?
I would argue that as long as you have multiple devices with your password manager installed , you should be safe. Even if you didn’t, most password managers would easily allow you to login on the device of someone you trust. The exception being 1Password, because they also require a security key when you log in for the first time on a new device. It’s still possible, but there are more obstacles.
There are also secure ways to write and safely store your passphrase on a physical piece of paper, just in case.
My approach is I use proton pass for all my passwords, aliases and 2fa. My proton accounts password are stored in an offline password manager that I put on each of my devices (PearPass) and set up manually. And the 2fa for those accounts go in Ente Auth.
So all day everyday is proton. Easy. To get into proton I use PearPass and enter which can be set up as biometric or pin. As they are offline I am only worried about physically protecting them as opposed to brute force attacks online
All my passwords, insurance card, and other forms of sensitive information are in Proton Pass. You can manually add passwords for instances like yours, and you just have to open Proton Pass & look up your passwords as needed.
I would NOT use it for 2FA personally. I use Aegis (may be Android only) for 2FA.
You can use Proton Authenticator (separate app) but I would NOT sync it to Proton. If you do, I think you can set up an additional form of authentication within the app!
I think I could probably remember 2 passphrases. Bug having to remember more would be too much. Even with 2, I would definitely have to write them down on a piece of paper just in case.
But yes, like you said, if you stop using the device you unlock every day, you will forget the passphrase.
With all that being said, beyond muscle memory, don’t you find it annoying to have to type a passphrase for your computer every day?
I’m not annoyed with having to type my password manager’s passphrase every day on my computer. But I think I would get frustrated if I had to do it with my PC too.
No, it is no different from other hygienic practices, and it ceases being a menial chore when I define a workflow that works for me instead of following external password policies.