On 2020-07-08 at 23:24 +0200, Stefan Claas wrote: > Ryan McGinnis via Gnupg-users wrote: > > > The thing is, if you can't remember a string of random words, are you > > likely to remember a string 20 random letters, numbers, > > and characters? Generally, if your non-randomly-generated password is easy > > for you to remember, it's also easy for a > > computer to guess. Diceware is the attempt to make something easy as > > possible to remember while still being truly > > high-entropy. If you're really paranoid you don't use the javascript > > program to generator your random phrases, you buy an > > EFF book and roll some casino dice. The entropy comes from the dice and so > > is verifiable. > > How do I do that when traveling, because I can't memorize the diceware pass > phrase and then roll dices and tell via a > non-secure channel my now generated pass phrase, or do I make a mistake now > in thinking?
You only use the dices suggested by Ryan for creating a new password. A local program is probably perfectly fine for creating "random" passwords, though. If you are traveling, you would do as in home: you bring with you your password manager. You should probably prepare in advance a list of all credentials you might need, and then only bring a reduced "travel-size" version of your stored passwords (you could also take with you a "simple" one you expect to use and a bigger -not necessarily complete- one that you expect not to need to unlock). Note that "bringing" could involve a physical entity, such as a file in your laptop or a usb key, but also simply the ability to download it from the internet (after logging into <account>, probably). You may obviously rotate all those passwords after you are back (as well as before you depart, if you wish). You still need to properly protect the master password of that manager, which should probably involve memorizing it. If you are only concerned about part of your travel itinerary, such as a layover at a foreign location with few privacy guarantees, or just until the time you cross the border (as is the case when crossing the British or US border, where otherwise constitutional rights are suspended),[1][2] you could actually deprive yourself from the required knowledge to decrypt the content. Let's suppose that you arrive Friday night, and will meet with the foreign client on Monday, showcasing some company confidential information to them stored in an encrypted laptop. You could memorize half of the password, then get told the other half by phone on Monday morning by your corporate lawyer. You would then a of being unable to decrypt it while crossing the border, which means you can't be coerced to provide it. This would make quite sense from the point of view of the company. The border agents may not be happy with that, though. And maybe result as well in a not-so-nice experience for the employee. On the other hand, if you were targeted by e.g. the MI5, you would probably be returned a bugged hardware, and you better didn't travel with a laptop there to begin with. Kind regards 1- https://www.schneier.com/blog/archives/2008/05/crossing_border.html 2- https://www.thelawforlawyerstoday.com/2018/10/border-searches-of-your-e-device-encryption-may-be-of-limited-value-in-protecting-client-data/ _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
