[kwlug-disc] 2FA Google Authentication and Best Practices with passwords

Doug Moen doug at moens.org
Fri Feb 4 16:39:33 EST 2022


I keep all my passwords written in a paper book, not a computer or digital device.
I use longish passphrases, not "secure passwords" that I have no hope of memorizing.
I use a different password for each site, so if one site is compromised, the others aren't also compromised.

My wife knows where the book is, so if I'm incapacitated and she needs my password for some reason, it's easily accessible.

I do not store my passwords digitally. Computers are inherently insecure and untrustworthy, so if my password is stored digitally in a device that is directly or indirectly connected to the internet, then I assume that password is compromised. Computers are also way too complicated. A paper book is simple, robust and is impervious to remote exploits.

As always, you should think about your threat model when choosing how to do something digital. Different threat models => different methods. Also, any choice you make inherently has compromises. In my case, I obtain simplicity, robustness and imperviousness to remote exploit at the expense of less secure passwords (passphrases that I can memorize, vs base64 encoded 256 bit random numbers or whatever).

Doug Moen.

On Fri, Feb 4, 2022, at 6:21 AM, Darren Pond wrote:
> Good Day KWLug
> Going down the rabbit hole of password management.
> 
> Seeking Best practices with documentation & Password?
> 
> I recently cracked my cell phone display losing access to it. 
> At last I was prepared for this as just the previous weekend I had updated my password collection, 190 and counting which I keep on a Libr spreadsheet in KDE Linux vault and second paper copy at my brothers house.
> Long story longer. When my father passed away last January he also was attempting to keep track of passwords. Only his mental state had both slided & his method of recording was totally random and has taken months to clean up.
> Or another simple issue is my not so tech friendly wife should also have access to PW's 
> 
> What is everyone doing about Passwords and documentation?
> 
> This new to me Google Authentication at first look was ok seems like a good idea. 
> Until you lose access to your cell phone or consider how your Personal Executors and Powers of Attorney family members will tackle your asset and find all the information that we deemed Password worthy.
> 
> Yes I know its possible to access bank accounts with brick n mortar via a paper documentation. If you have lots of personal cash flow, time and you actually live in the same province as the family member, but what about all those other accounts that need to be dealt with?
> 
> The Google Authentication 2FA is pain to me as I want to use my Desktop KDE linux with a nice large screen and keyboard instead of being pulled back to the cell phone each time.
>  Once I open the program that I need the 2FA its a struggle to get back to Desktop to continue to work.
> 
> Any workarounds on KDE Linux I should be exploring?
> Keepass also looks like a convenient option for not so important PW that we use all the time. Still have yet to figure out how to get it to work on KDE and Firefox.
> 
> 
> Is Yobikey a solution or is this just another weak link in cyber and social security. like oops I lost the key. Or does any know where dad may have left the key.
> 
> Side Note any KWlug KDE users out there that have time to hold newbie hand and field the occasional question?
> 
> Darren
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> https://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20220204/da0995f5/attachment.htm>


More information about the kwlug-disc mailing list