Need to let loose a primal scream without collecting footnotes first? Have a sneer percolating in your system but not enough time/energy to make a whole post about it? Go forth and be mid: Welcome to the Stubsack, your first port of call for learning fresh Awful you’ll near-instantly regret.
Any awful.systems sub may be subsneered in this subthread, techtakes or no.
If your sneer seems higher quality than you thought, feel free to cut’n’paste it into its own post — there’s no quota for posting and the bar really isn’t that high.
The post Xitter web has spawned soo many “esoteric” right wing freaks, but there’s no appropriate sneer-space for them. I’m talking redscare-ish, reality challenged “culture critics” who write about everything but understand nothing. I’m talking about reply-guys who make the same 6 tweets about the same 3 subjects. They’re inescapable at this point, yet I don’t see them mocked (as much as they should be)
Like, there was one dude a while back who insisted that women couldn’t be surgeons because they didn’t believe in the moon or in stars? I think each and every one of these guys is uniquely fucked up and if I can’t escape them, I would love to sneer at them.
(Semi-obligatory thanks to @dgerard for starting this.)
I've come around a bit since posting yesterday (after looking into the various hardware key options, like OnlyKey). The biggest issue I have is that the firmware cannot be updated (which I realize is somewhat a matter of taste regarding your threat model). Other than that, it's the added complexity of "use this physical device" and the concern I had about recovering accounts if I lost the Yubikey. Their page on spare devices does not inspire confidence.
Fair point! I chose 128 because it's the maximum allowed in Bitwarden (if it's going to be copy-pasted anyway, who cares). Assuming I didn't fuck up basic math, the entropy of a passphrase of length
nselected uniformly at random from characters inAis given bynlog|A|, so to reach 128 bits of entropy with 70 chars (lower + upper + digits + special) requires a passphrase of length 21.The solokey v2 and the nitrokey v3 (I think) have some firmware upgradability, but they're not as capable as a yubikey (the last time I checked I couldn't use either of them to unlock a keepassxc password vault, for example). Whilst it would be a right hassle to deal with a lost device, I generally lock my accounts with a main key and two spares that get stored safely and make a note in my password database of which accounts can use which keys so there's little risk of locking myself out of anything, and I can get a list of sites to visit to revoke credentials from. In any case, the minor inconvenience is a good tradeoff for me, given the significant security guarantees the keys offer over other authentication mechanisms.
But also, "added complexity" is just a thing with two factor authentication, and most of my use of U2F keys involves less effort than unlocking my phone, then unlocking my TOTP application, then searching for the account and site I'm trying to unlock, then waiting for the timer to reset because I can't authenticate before the current code expires, etc.
Beats me! I just use off-the-shelf entropy calculators and hope they're right. They mostly seem to agree that ~128 bits of entropy from a 10-word (70-85-ish characters) passphrase from the EFF large wordlist, or ~24 characters from uppercase/lowercase/numeric. Both might be reasonably considered overkill, if you can be sure that the thing that's hashing the password is using a modern algorithm (which often you can't, sadly).
I also dislike unreasonably long passwords because more modestly-sized ones can be typed out manually when needs be, or even read over the phone in an emergency. I wouldn't fancy doing that with 128 character passwords! You may of course never need to do those things, but I've needed to do both, at work and otherwise.