I’m thinking about PC OS logins, LUKS, BIOS passwords, ssh keys, and the like. There are many places where a password manager isn’t feasible, even an OnlyKey which I use extensively. Since they are local the harm is minimal, but it’s probably not ideal.
I’d rather not describe my own situation, but if you have multiple computers, this can get complex, and so re-using passwords is virtually a necessity. I already have too many passwords that I need to remember. Sometimes it’s not a password but a username or an email address, or a phone/SIM PIN. Most things I don’t have to remember but remember out of convenience. I personally have one password for the primary user of each of my PCs. I have a “public” password I use for anything I expect to type on public computers.
OnlyKey makes this a lot easier, and I highly recommend it. But there are limitations. There’s only 24 slots, most of which I use for online stuff. I don’t bring it with me when I leave the house. I wouldn’t rely on it for the LUKS encryption key that unlocks the disk of which my password manager is stored, I need to remember that one. I could buy another one, and I plan to, but they’re expensive.
I wouldn’t do password reuse for LUKS and login passwords due to risk of the device being compromised, and then the adversary also having your LUKS pass.
For LUKS you could use a Yubikey.
You might only use those slots for really important t hings, which probably support FIDO2 anyway, for the rest you could just use a TOTP app or password manager.
As long as they’re physical devices requiring physical input, a compromise you could use is password peppering. This would act as a sort of mental 2FA while still simplifying what you need to remember significantly.
Using a static password, or with challenge response? I use both on my yubikey but for my password manager. Yubikeys only have two slots. It doesn’t solve the LUKS problem.
You might only use those slots for really important t hings, which probably support FIDO2 anyway, for the rest you could just use a TOTP app or password manager.
Even still, I’m running out of slots. FIDO2 U2F has essentially unlimited storage so there’s no issue there.
I actually already do this. I do it with my password manager’s master password (part of it is known only to me, not stored anywhere). Maybe I’m overthinking it, but what happens when you have multiple peppers? How do I manage my peppers?
I also have a second password manager that uses its own pepper, stored on a different device, that contains TOTP keys and such.
That depends on how secure you want to be, but the simplest (and easiest to remember) would be to pick a theme for your peppers.
For example (in no particular order of security):
type of device: ***laptop, ***laptopluks, ***phone
specific model: ***pixel7a, ***macbookpro2022
device color (if different): ***blue, ***black
give them person names: ***bob, ***sophie
screen size: ***six, ***27", ***twentyseven
What you pick doesn’t really matter as long as it’s easy to remember since it’s just an additional layer to your password. 6 digit 2FA codes are not secure by themselves, they just add a layer.
It is helpful if you’re reminded of the device pepper when looking at it so that you don’t need to write it down anywhere, but it is of course more secure if they appear arbitrary.
I don’t use the same password with LUKS and my login. I use one LUKS password for the system disk of all of my computers including my laptop. I use one login password for the logins of all my PCs as well.
I would need to have 8 separate passwords, 2 for each PC, one for LUKS and one for login. None of these can be retrieved from my PM (though they can be stored there, but retrieval is impractical). I also have other passwords for routers and such. I can’t rely on memory for this. Even after organising my OnlyKey it’s still a lot. This doesn’t even account for having more than one user on a PC, and other devices like routers.
What do network admins normally do? An OnlyKey is essential but even that is only limited to 24. I need more. I don’t think nitrokey works here cause it’s software based.
Curious if you have some advice? I could re-use the same LUKS password but have all my logins different, or vice versa, and not sure which would be more secure.