I don’t know about others, but I was a little put off by the mention of “password managers” in the beginning since that’s handling over the keys of your privacy to external powers.
Password managers are absolutely best practice and have been for at least a decade. Humans can’t remember that many good passwords, which means that the alternative to a password manager is basically always password reuse, which is insane. I will admit that I use keepass variants, and that I myself wouldn’t recommend any password manager (or much of anything else) with a cloud component, but some password manager is necessary. You can also use many of them for 2FA tokens.
Brave uses Google and Cloudflare and that it has built-in telemetry
I don’t use Brave either, and don’t know specifically what it uses Google or Cloudflare for… but an awful lot of the Web goes through Cloudflare nowadays regardless of your browser, and unless you’ve added a bunch of technical and easy-to-screw-up stuff, probably at least as high a proportion will cause your browser to download stuff from Google (and other places) at every visit, allowing them to track at least what “major” sites you’re hitting. Ad tracking is definitely a big deal, and the guide doesn’t address it, but browser choice is kind of down in the noise unless you’re going to go all the way and resort to Tor plus a whole bunch of this and that blockers.
using software to rewrite ones messages to get rid of ones personal ‘fingerprint’
The problem is that such software isn’t very widely used, may or may not actually remove your “style”, and tends to add its own “style” that makes you stand out as a user of it. And the content of what you say can also give you away. Really the right answer there is not to say anything you don’t need to say, or at least not anything you wouldn’t want to sign your name to, package up with everything else you’ve ever said, and mail to the worst possible people. Or at least not to anybody who doesn’t (a) need to hear it and (b) have the capacity and inclination not to leak it. Which is going to be a pretty short list.
I’d counter that you can in fact memorize ~arbitrarily many good passwords if you:
Use a procedure that generates passwords that are high-entropy but memorable.
A memorability-enhancing improvement on the common “generate N random words” is “generate N random words, then add more words until the passphrase is grammatically correct”. (Important: don’t rearrange or change the initial random words in any way!)
E. g., “lamp naval sunset TV” → “the lamp allows the naval sunset to watch TV”.
This doesn’t reduce entropy, since this is at worst an injective approximately deterministic function of the initial string.[1] But, for me at least, it makes it significantly easier to recall the password (since that makes it “roll off the tongue”).
Use spaced repetition on them. Like, literally put “recall the password for %website%” in an Anki deck. (Obviously don’t put the actual password there! Just create a prompt to periodically remind yourself of it.)
I’m not actually doing that for all my passwords, only for a dozen to the more important stuff.[2] But I expect this scales pretty well.
Well, technically, this is only approximately injective: the worst case is that adding words to two random sequences would map them to the same phrase. E. g.:
“lamp naval sunset TV” → “the lamp allows the naval sunset to watch TV”
“lamp naval watch TV” → “the lamp allows the naval sunset to watch TV”
But I posit that this would never happen in practice.
I have more than 200 passwords now I think, and I’m starting to forget some of them. A password manager would probably be ideal if it could run completely locally, so that it’s not an online service, but rather a cryptographic program which uses a master key to generate sub-keys.
There’s an article with some criticism of Brave here. It looks like it’s written by somebody who has been on the internet too long and who doesn’t trust anyone or anything, but that’s exactly what I like about it.
Speaking of which, I don’t like the mindset “Oh well, you can’t avoid all these tech giants, so you might as well give up and let them collect whatever they want”. Almost all “alternative browsers” are just Chromium or Firefox under the hood, and almost all “alternative search engines” are just Google proxies (metasearch engines).
There’s enough information out there to uniquely identify like 95% of users across almost all services, but our footprints are just considered noise, the FBI doesn’t care if somebody downloads a song without paying for it. Now, consider what will happen once AIs can process all of it, and each person can be assigned a “digital FBI agent” to watch over them
Password managers are absolutely best practice and have been for at least a decade. Humans can’t remember that many good passwords, which means that the alternative to a password manager is basically always password reuse, which is insane. I will admit that I use keepass variants, and that I myself wouldn’t recommend any password manager (or much of anything else) with a cloud component, but some password manager is necessary. You can also use many of them for 2FA tokens.
I don’t use Brave either, and don’t know specifically what it uses Google or Cloudflare for… but an awful lot of the Web goes through Cloudflare nowadays regardless of your browser, and unless you’ve added a bunch of technical and easy-to-screw-up stuff, probably at least as high a proportion will cause your browser to download stuff from Google (and other places) at every visit, allowing them to track at least what “major” sites you’re hitting. Ad tracking is definitely a big deal, and the guide doesn’t address it, but browser choice is kind of down in the noise unless you’re going to go all the way and resort to Tor plus a whole bunch of this and that blockers.
The problem is that such software isn’t very widely used, may or may not actually remove your “style”, and tends to add its own “style” that makes you stand out as a user of it. And the content of what you say can also give you away. Really the right answer there is not to say anything you don’t need to say, or at least not anything you wouldn’t want to sign your name to, package up with everything else you’ve ever said, and mail to the worst possible people. Or at least not to anybody who doesn’t (a) need to hear it and (b) have the capacity and inclination not to leak it. Which is going to be a pretty short list.
I’d counter that you can in fact memorize ~arbitrarily many good passwords if you:
Use a procedure that generates passwords that are high-entropy but memorable.
A memorability-enhancing improvement on the common “generate N random words” is “generate N random words, then add more words until the passphrase is grammatically correct”. (Important: don’t rearrange or change the initial random words in any way!)
E. g., “lamp naval sunset TV” → “the lamp allows the naval sunset to watch TV”.
This doesn’t reduce entropy, since this is at worst an injective approximately deterministic function of the initial string.[1] But, for me at least, it makes it significantly easier to recall the password (since that makes it “roll off the tongue”).
Use spaced repetition on them. Like, literally put “recall the password for %website%” in an Anki deck. (Obviously don’t put the actual password there! Just create a prompt to periodically remind yourself of it.)
I’m not actually doing that for all my passwords, only for a dozen to the more important stuff.[2] But I expect this scales pretty well.
Well, technically, this is only approximately injective: the worst case is that adding words to two random sequences would map them to the same phrase. E. g.:
“lamp naval sunset TV” → “the lamp allows the naval sunset to watch TV”
“lamp naval watch TV” → “the lamp allows the naval sunset to watch TV”
But I posit that this would never happen in practice.
I also use KeePass for the rest, sync’d through ProtonDrive. The fewer cloud services you have to trust, the better.
I have more than 200 passwords now I think, and I’m starting to forget some of them. A password manager would probably be ideal if it could run completely locally, so that it’s not an online service, but rather a cryptographic program which uses a master key to generate sub-keys.
There’s an article with some criticism of Brave here. It looks like it’s written by somebody who has been on the internet too long and who doesn’t trust anyone or anything, but that’s exactly what I like about it.
Speaking of which, I don’t like the mindset “Oh well, you can’t avoid all these tech giants, so you might as well give up and let them collect whatever they want”. Almost all “alternative browsers” are just Chromium or Firefox under the hood, and almost all “alternative search engines” are just Google proxies (metasearch engines).
There’s enough information out there to uniquely identify like 95% of users across almost all services, but our footprints are just considered noise, the FBI doesn’t care if somebody downloads a song without paying for it. Now, consider what will happen once AIs can process all of it, and each person can be assigned a “digital FBI agent” to watch over them