As more people flock over to the fediverse from reddit, twitter and other centralised proprietary networks it is important that you keep your e-mail and other important accounts safe from hijacking attempts. Since anyone can simply spin up an instance and host users and communities it is important that you don’t divulge your internet personal details to anyone as these can be harvested by the instance owner and by any instance you erroneously try to login to or simply the instance could be hacked and the user data harvasted. With this in mind here are some suggestions for good OPSEC (Operation Security):
- Don’t use your main e-mail address. Either create a new one or better sign up for an e-mail forwarding service and set-up forwarding addresses for each instance you sign up to. Since these are throw away addresses, if it gets leaked you can just delete the address and create a new one without compromising your main e-mail address. (Bonus: this can also be used to use unique addresses for traditional web services and make it easy to know how and from where an address got leaked)
Here is a nice article with some e-mail forwarding providers to get you started
- Use a password manager and generate strong and unique passwords for any and all instances and services you use, this way you won’t divulge a password used on another account to the instance owner, or if the address used (especially if you used your main e-mail address)/got leaked your account will still be safe from hijacking by attempting to use password dictionaries to guess the password.
Some passvault suggestions:
- Passbolt (self hosted)
- Bitwarden (self hosted and hosted options)
- Vaultwarden (unlocked self hosted alternative to bitwarden)
These are my main security suggestions for all you new and existing lemmings. Feel free to suggest other security considerations to have and other services beyond those mentioned. Stay safe and have fun posting and commenting.
That’s like saying that only using high security locks with various security pins in them to protect your house is a bad idea, and you should throw in some secured with padlocks too just to change things up.
And if some of them are shitty masterlocks, well, you’re changing things up.
That’s really not how security works.
Yes, pass phrases can have large amounts of entropy attached. But unless you are picking your pass phrases truly randomly, with a large dictionary, and using unique pass phrases per site, and the sites are not silently truncating the password input (such as bcrypt which truncates to 72 bytes), you are not actually getting that large amount of entropy.
Where as a 16 character password that randomly uses the ASCII printable range, excluding spaces, gives you 93^16 possible combinations. That’s 31313180170800116587336013460801 passwords.
Or, very roughly, 104.6 bits of entropy. (104.6265409777285022441578006899739 bits of entropy if you want to be downright absurd about it.)
Knowing that you’re doing that simply doesn’t help the attacker in any meaningful way.
Bumping that to 20 characters gives you over 130 bits of entropy, or 2342388736625917052139104541473924426001 possible combinations.
This is quite simply not a viable attack surface.
Where as saying ‘use pass phrases for some things’ means that it is quite likely that some of your pass phrases are going to be much less secure than this.
But let’s give the same numbers for properly generated random passphrases.
The xkcdpass utility can help us here.
Even picking entirely randomly, out of a large word list of 7227 words, a 6 word pass phrase only gives roughly 76 bits of entropy.
Going up to 8 words gives us roughly 102 bits of entropy, that helps a ton… Except that some of those passphrases are going to be longer than 72 bytes. So you’re almost certainly losing bits of entropy.
That best case still gives you fewer bits of entropy than a 20 character randomly generated password. Unless you’re trying to memorize your password, there are no benefits to alternating between randomly generated passwords with good generation settings and passphrases.
And if you’re trying to memorize your passwords, you are definitely doing it wrong.