30
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 27 Jan 2025
30 points (100.0% liked)
TechTakes
2219 readers
204 users here now
Big brain tech dude got yet another clueless take over at HackerNews etc? Here's the place to vent. Orange site, VC foolishness, all welcome.
This is not debate club. Unless it’s amusing debate.
For actually-good tech, you want our NotAwfulTech community
founded 2 years ago
MODERATORS
I've come around a bit since posting yesterday (after looking into the various hardware key options, like OnlyKey). The biggest issue I have is that the firmware cannot be updated (which I realize is somewhat a matter of taste regarding your threat model). Other than that, it's the added complexity of "use this physical device" and the concern I had about recovering accounts if I lost the Yubikey. Their page on spare devices does not inspire confidence.
Fair point! I chose 128 because it's the maximum allowed in Bitwarden (if it's going to be copy-pasted anyway, who cares). Assuming I didn't fuck up basic math, the entropy of a passphrase of length
n
selected uniformly at random from characters inA
is given bynlog|A|
, so to reach 128 bits of entropy with 70 chars (lower + upper + digits + special) requires a passphrase of length 21.The solokey v2 and the nitrokey v3 (I think) have some firmware upgradability, but they're not as capable as a yubikey (the last time I checked I couldn't use either of them to unlock a keepassxc password vault, for example). Whilst it would be a right hassle to deal with a lost device, I generally lock my accounts with a main key and two spares that get stored safely and make a note in my password database of which accounts can use which keys so there's little risk of locking myself out of anything, and I can get a list of sites to visit to revoke credentials from. In any case, the minor inconvenience is a good tradeoff for me, given the significant security guarantees the keys offer over other authentication mechanisms.
But also, "added complexity" is just a thing with two factor authentication, and most of my use of U2F keys involves less effort than unlocking my phone, then unlocking my TOTP application, then searching for the account and site I'm trying to unlock, then waiting for the timer to reset because I can't authenticate before the current code expires, etc.
Beats me! I just use off-the-shelf entropy calculators and hope they're right. They mostly seem to agree that ~128 bits of entropy from a 10-word (70-85-ish characters) passphrase from the EFF large wordlist, or ~24 characters from uppercase/lowercase/numeric. Both might be reasonably considered overkill, if you can be sure that the thing that's hashing the password is using a modern algorithm (which often you can't, sadly).
I also dislike unreasonably long passwords because more modestly-sized ones can be typed out manually when needs be, or even read over the phone in an emergency. I wouldn't fancy doing that with 128 character passwords! You may of course never need to do those things, but I've needed to do both, at work and otherwise.