Skip to content

Commit

Permalink
Merge pull request #6 from zolagonano/chapter_4
Browse files Browse the repository at this point in the history
Fixing some Writing erros
  • Loading branch information
zolagonano authored May 24, 2024
2 parents 6a8bbbb + dca67a1 commit 120b4e6
Showing 1 changed file with 12 additions and 13 deletions.
25 changes: 12 additions & 13 deletions src/chapter_4.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,28 +6,27 @@ As you become more skilled, you'll progress to stone tools, then iron, and maybe

But this chapter focuses on the essentials—the wooden and stone tools—of the privacy world. These are the basic building blocks of your digital privacy and security. The essentials in the privacy world include encryption tools, anonymity tools, VPNs, emails, secure messengers, password managers, and multi-factor authentication tools. These are the bare minimums for privacy, aligning with the threat models of most individuals.

## Passwords and Password Managers

Passwords are crucial for protecting our accounts, devices, and secrets. It's essential to ensure they are kept safe, secure, and accessible to us. Trying to remember a complex password for each account isn't practical. As I've explained earlier, using the same password for multiple accounts, regardless of its complexity, poses a significant risk. If one account is compromised, all others using the same password become vulnerable. Conversely, trying to remember different passwords for each site is challenging for humans, especially if not used frequently.
I'm sorry for misunderstanding your instructions. Let me correct the grammar, spelling, and formatting errors while preserving your original tone and style.

This is where password managers come into play. Password managers are software, either online or offline, designed to securely store passwords and other sensitive information using encryption. Access to the contents is typically protected by a master password, which you memorize. With a password manager, you only need to remember this master password to access all other stored passwords securely.
## Passwords and Password Managers

Here are some characteristics of a good password manager, in my opinion:
Passwords are what protect our accounts, devices, and our secrets. We need to take all actions to keep them safe, secure, and accessible to ourselves. Trying to remember a hard password is a bad idea, and I've already explained why. If you use a single password for everything, no matter its complexity, and a data breach containing your account happens, then all your other accounts are accessible using that leaked password. And if you try remembering different passwords for every website, you will forget them all. Humans aren't that good at memorizing random passwords, especially if you don't recall them often.

1. **Encryption:** A reliable password manager should use robust encryption. Never use one where you're uncertain about its encryption methods.

2. **Open-source:** While open-source software isn't inherently safer, it allows users to inspect the code and encryption implementation, increasing transparency and trust.
Here, the password managers come to play. Password managers are software, either online or offline, to store passwords and other notes and secrets safely and securely using encryption. The content inside them will be accessible through one password, usually known as the master password. So when using a password manager, you will memorize a complex password as your master password, and that will be used to access other passwords inside your password manager's vault. Now you don't need to remember any other password or secret.

3. **Independent Audits:** Password managers should undergo independent audits to identify any potential flaws in their encryption methods.
A good password manager should have these characteristics, in my opinion:

4. **Offline or Self-hosted:** While cloud-based password managers can be secure if implemented correctly, opting for a self-hosted or offline option, like Bitwarden or KeePass, reduces the risk of data breaches since you're less likely to be targeted compared to a server hosting thousands of users' passwords.
1. They need to be encrypted. Never use a password manager that you're unsure of its encryption.
2. They need to be open-source. Not that open-source software is necessarily safer, but with them being open-source, we can check their codes and the implementation of encryptions and make sure they're safe.
3. They must be audited independently. We're not cryptography analysis experts. An audit will show if there are any flaws in the cryptography implementation of a software encryption.
4. They better be offline or self-hosted. There is no problem with a cloud-based password manager if it is implemented correctly. Even if their database gets leaked, the passwords should still be encrypted and secure. But when using a self-hosted or offline password manager, like Bitwarden (which can be self-hosted) or Keepass, you minimize the risk of leakage because it is far less likely that you will be more targeted than a password manager's server with thousands of users.

### Choosing a Secure Master Password

But how do you generate a secure master password? First, it's crucial to understand the difference between passwords and passphrases. Passwords are random strings of letters, numbers, and symbols, challenging for humans to remember but easier for computers to crack. Passphrases, on the other hand, consist of a series of words separated by a character, making them easier for humans to recall but more challenging for computers to crack due to their length and higher entropy.
But how can you generate a secure master password? You need to forget the passwords first. Passwords are a string of random letters, numbers, and punctuation characters. They will get really hard really fast for humans to memorize but not as much for computers to crack and guess through brute force attacks. But on the other hand, the passphrases can be a list of words separated by a character, which is easy to remember for humans but a lot harder for a computer to crack because they're usually way longer and have more entropy than a password. They're easier to remember because they are words, and words to us have meanings but not to computers. They see random strings still.

These passphrases are known as Diceware Passphrases. For example: `Batboy Wielder Defective Squire Facial Reptilian Monologue Avatar`.
These passphrases are called Diceware Passphrases. An example of a Diceware passphrase is: `Batboy Wielder Defective Squire Facial Reptilian Monologue Avatar`.

![XKCD's password strength meme](./pictures/xkcd-password-strength.png)

Avoid changing your master password frequently unless you suspect it's compromised to minimize the risk of forgetting it. It's also wise to maintain an encrypted backup of your passwords in a secure location, ideally outside your devices, and with a different password in case you forget the main one. This ensures you can restore your passwords and reduce the risk of losing access to your accounts.
Avoid changing your master passwords too often unless you suspect that it is compromised to minimize the risk of forgetting it. Also, a good practice would be having an encrypted back of your passwords somewhere safe, ideally outside your devices and with a different password (in case you forget the main password) so you can restore your password and minimize the risk of losing access to your accounts.

0 comments on commit 120b4e6

Please sign in to comment.