Remember: If you are being robbed, just say no. Legally, they cannot rob you without your consent.

Thank you for coming to my TED Talk.

Alright I think they all logged off; Go Go Go!

Before I go into this, I need to mention that basically everything I’m going to touch on is, as of the 2020s, largely standard security practice. No weird business, and sadly no homebrew. My specific approaches are largely informed by a girl who actually mains infosec, instead of my janky arse. Now then, away we go!

PASSWORDS! A fancy secret knock that you tap on your computer to get access to the cool shite, like this guide! You come up with something only you would ever think of, then slap that on everywhere you go, and ring a ding ding you’re off to the races!

Well… you and everyone who so much as blinks in your general direction.

RULE ZERO OF PASSWORDS: YOU AIN’T-⌗

Oh wait, hold on, there’s something even more fundamental we have to cement into our foundation:

RULE ZERO OF PASSWORDS: ELIMINATE ALL BIRDKIND⌗

Do NOT become a fucking parrot and repeat yourself! If you use the exact same password on multiple sites (even worse if it’s the same username! Though Emails kind of force the issue with most sites), the moment some jackass thief (let’s call her Miss Rose) figures out your password on ONE of the sites, she’s going to turn around and try it on ALL OF THE SITES. And that’s terrible. Especially for your redundant repetitive rear.

Oh and Miss Rose knows to try patterns too. If she found 0rofmicrosoft, you can bet 0rofgoogle, 0rofdiscord, and 0rofpaypal are prime guessing material¹.

To counteract this, we need random-ass passwords for every site we have a presence on. This way, even if Miss Rose breaks into your Steam account, she can’t touch your Humble Bundle. (The boss battle between her and Steam support WOULD be legendary though.)

RULE ONE OF PASSWORDS: YOU AIN’T RANDOM⌗

Welcome to being human. If YOU thought of it, someone else will too. Everything’s a Shakespeare ripoff these days.

I’m serious about this, by the way: I know a guy who used an obscure phrase from one episode of one television programme as a basis for a password. Spoilers: it did NOT protect him.

The security of a password comes from how truly random it is. Humans… are not very random. Computers… are also not random², but they’re better at it than YOU are.

True randomness, then, will come from events you cannot possibly control, such as honestly-rolled dice (Fuck Off, Rogue Mains).

When you have proper randomness, it’s going to be impossible for an adversary to reverse-engineer how you thought out your password because YOU DIDN’T THINK IN THE FIRST PLACE.

The tragic downside of this approach, however, is that you’re not going to be memorizing a fucktonne of random passwords anytime soon – I’M NOT READY FOR YOU YET, YOU DAMNED PONY! – Anyway, you’ll think up something random, and then you’re likely going to want to use the same random thing multiple times, which opens you up to BIRD STRIKES! SEE RULE ZERO!

RULE TWO OF PASSWORDS: TYPE THEM THE FUCK DOWN⌗

Yes I’m being serious.

Yes it sounds retarded.

Yes I have a secret weapon… And that secret weapon is called a Password Manager!

What is a password manager? It’s a password diary, but unlike YOUR Password Diary, this one actually keeps your passwords secure! It also generates random³ passwords for you! And it tracks what sites they’re for, and the usernames for them, and some even support 2FA codes a la Google Authenticator.

The security is achieved through encrypting the database your password manager maintains (the diary, in other words), so that you only need to remember ONE password, instead of WayTheFuckTM (TL Note: TM means Too Many). Oh and BONUS! If a site gets hacked and THEIR password database gets leaked, all you have to do is change your password on the site, put the new Also-Random-Generated password into the Database, and laugh at the idiot dark web brokers who now have JACK SQUAT.

There exist many Password Managers, and a comparison chart has been graciously offered to me by someone more aware than I on normal user experience is available here. Whatever you do, DON’T EVEN THINK ABOUT USING YOUR WEB BROWSER’S BUILT IN PASSWORD SAVER! Just don’t. Please? Pleeease? Thank you~

I will mention the password managers I use, which are KeePassXC and KeePassDX. Previously I did recommend these privately to one of you, but I will rescind that not because KeePass suck, but because I have it on good authority the others are easier to work with.

Okay, so now we have a challenge: a Password that needs to be secure, but that you also have to Actually Memorize. I hear the hooves of snark trampling my gate… I cannot hold the ponies back any longer…

RULE THREE OF PASSWORDS: OBLIGATORY XKCD REFERENCE⌗

So nobody’s going to pay any amount of attention to a girl who types sassy words, so to explain why words are better than keysmash, I’m going to let a guy who draws mspaint stick figures explain it for me.

Now that you’ve gotten your laugh and My Little Pony finally got to explain why Friendship Is Magic, let me explain what’s going on here:

There’s a password philosophy called Diceware, and it’s really simple: Take a random list of words and roll d6d6d6d6d6 a number of times (5d6, but it’s not D&D because the order matters. If you don’t want to track that, I would grab a white d6, a blue d6, a black d6, a red d6, and a green d6, then promptly whine that the author memes too much.), recording the EXACT WORD that pops up in the word list each time. THIS IS VERY IMPORTANT: DO NOT CHANGE THE WORD AFTER THE FACT! The entropy comes literally FROM the die rolls and their results! The moment you decide that a certain other word sounds cooler, OOPS! Welcome to Detroit.

There’s even a website that’ll do diceware for you! It’s super cool! It works offline so you know you’re not being spied on (well, mostly… but these guys are pretty chill). If you want to click buttons and be amazed, then go ahead and spam their gamble buttons, but for ExtraMostBestest security, roll ’em yourself.

And boom! You now have a password with Log2×(6^5) bits of entropy, no matter if you use capitals, lowercase, spaces, or even put a 1-up counter between the words. It’s super cool! It’s pretty! And you’ll be able to keep it memorised in no time! PLUS, there’ll only be one place you need it in place… and that’s your Diaries, so no matter which copy you’re accessing, you’ll be able to…

You… DID make backups of your Diary, RIGHT???

RULE FOUR OF PASSWORDS: BACK IT THE #@%& UP⌗

The primary benefit of using a Password Manager for everything is that you will never be easily bruteforced⁴ again!

The primary downside is, it’s like a Dogecoin wallet. If you abandon or misplace it, it’s GONE FOREVER HAHA YOU SUCK GO AWAY.

To mitigate this problem, just follow the 3-2-1 rule like you do with all your other important data.

…

Oh right, I’m not allowed to assume you know what that means.

In short: BACKUPS! ROUTINELY! IMPORTANT! The 3-2-1 Rule states that for any Critical Data (and your PASSWORDS are McFuckingCritical!), you need to have THREE (3) Backups, spanning TWO (2) different kinds of physical media, where ONE (1) copy is offsite, meaning OUTSIDE YOUR PHYSICAL CONTROL. Physical Media includes Flash Memory, Magnetic Disk, Optical Disc, Floppy Disk, and McFuckingTape.

Pretty much, your backup strategy should survive an angry asshole empowered by a malevolent god to specifically fuck YOU over.

You should also do this for your hardware security- I DON’T WANT ANOTHER SCENE TRA-

RULE FIVE OF PASSWORDS: WHAT IF YOUR COMPUTER HAD A KEY⌗

If you’re a security-conscious individual who understands the value of Multifactor Authentication done correctly, you’re probably wondering why your most important file in all of forever is only guarded by a password.

It doesn’t have to be!

Any GOOD Password Manager will support you using a Hardware Security Key, which is basically a Teensy⁵ that manages one-time codes for you.

I’m not going to walk you through the intricacies of pairing your Password Database with a Hardware Key, because that heavily depends on both the Password Manager used and the Hardware token selected, but you will want to select a method that allows you to pair multiple Hardware Keys to the same Password Database. The reason for this is simple: Once you incorporate a physical item, you have added an additional factor of authentication, and therefore risk LOSING IT ALL if all your Hardware Keys are lost, stolen, or dead.

What I will, however, say, is that I use YubiKey 5s as my Hardware token, and I moved their default OTP to Slot 2 to open the short-press Slot 1 for a HMAC-SHA1 secret key that I then also store in my Password DB (Look, if you broke in, you KNOW how to replicate it already). This lets me quickly incorporate multiple YubiKeys into my Password Manager so I can maintain a carry key on my person and a backup at home (I should get a third and put it in a bank or something.).

By consistently incorporating these five rules with vigilence, you will render yourself largely immune to the overwhelming majority of password breaches. There are a few edge cases I need to touch on for completeness’ sake.

RULE SIX OF PASS RULE ZERO OF INFOSEC: BE UP FRONT⌗

(I wanted to call it Rule Zero of OpSec, but I think I’d get sandblasted for that.)

Have you ever wondered why 99.99+% of the world uses encryption standards that everyone knows the intricate details of, when you could more easily throw someone off by rolling something custom nobody knows about? Well, other than the obvious accessibility and usability arguments, the answer is because The Pros Know Better.

Kerckhoff’s Security Principle: A cryptosystem SHOULD be secure, even if absolutely everything about the system is known, EXCEPT the cryptographic keys in play. The reason for this is dead-simple: Mathematicians are STUPIDLY FUCKING GOOD at seeing your patterns and cold-reading your next moves. And if you know who hires the most and the best in that field, YOU KNOW VERY DAMN WELL THE SCALE OF THIS THREAT. Applying this principle leads to publicly-available cryptosystems (i.e. anything you’ll be able to get your hands on) being aggressively tested by LITERALLY EVERYONE, because doing so leads to the best and brightest rising to the top, which, again, helps EVERY SINGLE USER OF ENCRYPTION.

In this spirit, I will advertise the specific configuration I use, omitting only actual secrets (you may NOT has cheezburger), and I will also advertise potential failure modes of this scheme.

MY CONFIGURATION⌗

I use a combination of KeePassXC (Desktop OS) and KeePassDX (Android) to manage my Password Databases (yes, plural). I chose these mostly because they were recommended to me, but also due to my own ability to configure my own infrastructure for handling these databases.

My four Databases are as follows:

• One Database to control all of my finance, email, and core system backup keys and codes. Everything in this database either carries immediate dire consequences if breached (BANKING), or authenticates me at a near-if-not-root level (E-Mail, The secret keys to my other DBs, my HMAC-SHA1 secret, my Signal backup passphrases). This is my highest-secured database, secured by a 7-word Diceware passphrase that I rolled by hand in conjunction with my YubiKeys, and the work factor is set to the highest KeePass would allow.
• One Database to control my TOTP codes, and credentials for accounts that do not belong to me. This database is secured by the industry-standard 5-word Diceware passphrase rolled by the Rempe site I linked to earlier in conjunction with the same HMAC-SHA1 secret as above, and a slightly lower work factor. There is the argument I should move Accounts-Entrusted-To-Me into my primary DB, but I also do not want all my eggs in one basket.
• One Database to control all of my credentials under my Pre-Trans Identity (birthname/deadname). This I allow to control access to services like my ISP, Utility Company, Amazon, and Car Insurance. Oh and my Framework account lives there. This is actually not secured by a Diceware passphrase but a very personal phrase to me (I know, what a hypocrite, wah), BUT it is also secured by my YubiKeys! And the work factor is reduced because I use these passwords a LOT more than my critical ones.
• One Database to controll all of my credentials under by New Identity. Eventually I’ll probably merge these, but I want the degree of separation for now. This Database controls my more Social logins such as Discord, Steam, SSO Login to a compute cluster in my home, and others. This is also secured by a Very Personal And Not Random Passphrase (I’m ashamed of my lack of randomness), but it’s STILL guarded by a YubiKey!

To maintain backups, I use a software called Syncthing, which permits periodic encrypted backups of data in folders to select machines. I do not fully follow 3-2-1, but I will be doing so soon, especially for my critical files such as my Password Databases. I will not guide you on how to configure this; this is an Account Management Guide, not a Full Walkthrough OwO (plus the recommended Password Managers I have on good authority as far more newbie-friendly than what I use.)

For Hardware Security Keys, I have a YubiKey 5 NFC as my primary hardware token, as well as a YubiKey 5C backup token. Both are configured with Slot 1 as the same SHA1-HMAC secret, and Slot 2 as their factory-default Yubico OTPs. I do not use their FIDO2, PIV, or OATH capabilities in the context of my Password Manager, but I do employ their FIDO2 capabilities in other contexts.

I have never had an account breach with this configuration, but I also tend to be lucky with these things, and I’m also tangential enough with the infosec/opsec crowd to know a few extra details.

POTENTIAL/COMMON VULNERABILITIES TO BE AWARE OF⌗

You need to understand right now that reading and employing everything in this guide does NOT make you totally immune.

What it DOES do is effectively immunize you to any attacks based on guessing your passwords, no matter how accurately they’ve profiled you.

I will now describe several methods by which you can get pwned anyway:

The very very first thing you need to understand is that in order to authenticate yourself, you MUST, at some point, enter your Password Manager password into the website you wish to access. On KeePass, this is done through the Clipboard (Oh hey look, I learned browser plugins exist for this when proofing this dumbassery). You may have stronger protections using one of the others. Why this matters is, if there is MALWARE on your computer, that malware WILL see your random password IN THE CLEAR and you have been pwned before you even hit the ENTER key⁶. If you find there is malware on your computer, you need to, in this order: Back up your password databases, Nuke your OS from orbit (At this point, AntiVirus is NOT enough), pray to whatever force you believe will answer you that your Firmware isn’t infected (If you get pwned repeatedly despite good internet hygiene and multiple reinstalls, I have some bad news for you…), make sure your database isn’t infected (use a trusted virus scanner configuration for this, or get someone with computer security expertise to do so for you), reload your OS, secure it, put the database back on it, and CHANGE EVERY SINGLE PASSWORD YOU HAVE.

Furthermore, AVOID SKETCHY SITES. Good internet hygiene exists for a reason, and that reason is so that some scrub doesn’t put something BAD on your system (and trust me, your credentials being stolen and nothing else is GOOD news. BAD NEWS is… actually let’s not.) On a similar note, only let people you trust on your stuff, and close up your Databases if you’re letting someone borrow your device for something.

Secondly, and this is related to point one: NEVER surrender your login cookie/session identifier! Anyone who has this information, who is NOT you, may as well be you in the eyes of the service. How this process typically works is you provide your username (public info) and password (which you’re now smart enough to protect by reading a shitpost), then if the server determines your credentials are sufficient to identify you, you’re given a randomly-generated bunch of characters that’s stored on a cookie or similar file, and THAT RANDOM NOISE becomes your key for all actions going forward. You never see this string because your client handles it under the hood FOR you. But servers can’t see client. A service provider doesn’t know whether you’re even RUNNING a client. All the server sees is a request along its network socket with “By the way, here’s my tab.” tacked onto it. That server ain’t going to bother reverifying you; that tab is functionally the alcohol wristband in a nightclub. But if you GIVE that cookie to someone, or someone YOINKS it. then guess what? THEY’RE YOU NOW. HA HA HA HA. And they’re probably going to change the email to theirs, then reset the password. OOPS!

Thirdly, you will need to keep your Database Encryption up to date. Time Marches On, and Technology Marches On. In the days of Ancient Greece, a cipher of shifting the alphabet three letters to the right was enough to defeat a military opponent. Today, that cipher can be broken in a microsecond. Fortunately, you can change out the keys to your Database at will, so you’ll be able to step up as needed.

Finally, your Password Manager Protection Plan only protects on YOUR side. You are STILL dependent on the server implementing security measures correctly. If your server offers up your password to anyone who asks, well, that’s what they do, and you have ZERO power to change that whatsoever. In fact, you have NO say in how the server handles their half of your security. You also need to make sure your own computer and network are arranged properly to handle any security issues calling from inside the house.

CONCLUSION⌗

Congratulations! You’re now a super duper hacker proofer! Feel free to let the power rush to your head and get your ass beat by a protagonist in their tutorial arc.