It stems from a blind hatred for GrapheneOS and its users as a whole.

I have wondered why they haven’t taken the opportunity to come out with a Graphene-lite for non-Pixels

The issue I see is simply a lack of developers to do so. Trying to split the team between two mostly different projects would most likely cripple both.

This spreadsheet is a very helpful comparison of the different messaging apps. I’ve been using SimpleX for quite some time now, and the only issue I have is some lag on the iOS client.

Aegis is Android only.

In terms of privacy, using a normal credit/debit card provides very little protection.

Thank you so much! Have you personally used BiglyBT? If so, is there anything I should know?

As long as you generate your passphrases properly (i.e. making sure they still have high entropy and don’t fall into the same pitfalls I listed, in case someone still decides to brute force your password as a passphrase), you can have a very secure passphrase. However, as far as sheer entropy goes, passwords have more entropy in a more compact space and are better in that respect.

P.S. Some applications have a character limit, meaning you’ll get more entropy out of a password than a passphrase. You might accidentally get weak entropy in a passphrase because of the character limit.

you dont have to type in something 10x as long, so you can get a lot more entropy in a smaller space

This is especially useful when you require a lot of entropy, having an essay as your passphrase isn’t very fun!

the mnemonic can be anything you want it to be as long as the words start in the respective letters

You can even make up your own rules, not just starting with the respective characters.

That’s a lot of supposition.

For the sake of an example.

The reality is the password guesser has a string of 29 characters.

Actually, not even that. It would be hashed as a fixed length (256 bits usually).

Again, most of what I was saying was just for the sake of an example to show that under the right circumstances the length of a password doesn’t dictate its security. Even if it’s an extreme, security is only as strong as its weakest link. I’m not denying that it can be unrealistic, and I’m not saying it’s insecure (hence the “grain of salt” section that addressed all of your points), I’m just showing how it could be possible.

Also, someone can hijack your contacts and bribe/torture all 3 people into giving them your credentials.

they don’t even know they’re trying to guess words in the first place.

That is true, but the math is still the same regardless.

Suppose you had a word list of 1,000 five letter words. Each of your passphrases is 5 words long. That means you have 1,000^5 possible combinations of passwords, which is an entropy of ~49.8 bits. Even though each passphrase is going to be 29 characters long (5 five letter words plus 4 spaces in between), the password wasn’t generated character by character.

By contrast, suppose you used all 95 characters on the (US) keyboard, an 8 character password has 95^8 combinations, which is an entropy of ~52.6 bits. Even though the passphrase has 21 more characters than the password, the password still has more entropy.

Big grain of salt here: You can get a huge word list and remember much longer passphrases easily, but the point is to show that the number of characters doesn’t dictate the security of a password. If someone were to brute force a passphrase character-by-character, it would hold up very well, but a) Not many people use passphrases and b) It’s far more common to use password dictionaries than to brute force.

Hope this helps! Here’s the Wikipedia page for password entropy

P.S. If someone found your word list, they could probabilistically brute force your passwords. For example, if 75% of your five letter words started with the letter S, they could deduce that most of the words likely start with S, and they’ve already eliminated a few characters to brute force.

So someone who got to you would have at least two of the three by default.

Both are useless without the third, and can be easily regenerated. Also, you can be tortured for your passwords.

You could technically achieve this by giving one person the password, another person the key file, and the third person the security key.

Another solution would be a recovery pool.

That is a really interesting method! Thanks for sharing, I’ve learned something new. A way to solve the stakeholders unlocking it would be to also require the admin’s own credentials plus 2 (or however many) stakeholder credentials to unlock it. However, that could cause stakeholders to target the admin.

While this may not be what you’re looking for, it’s worth mentioning that a good ol’ pencil and paper does wonders. It won’t have everything you need, but you can time how long you ran for with a stopwatch, count how many pushups you do, manually measure your pulse, etc. If you’re good with data processing you can stick the data in a spreadsheet and process it to see your progress. The bonus is you’ll learn a lot more about health through doing it yourself. Besides that, I’ve never used a smart watch or fitness tracker. I’ve just exercised until I get tired.

Or hell it could even be a hard drive in a box somewhere

That one guy: “I store my backups in a concrete box in the bottom of the ocean. It’s very secure!”

That guy when his system fails: “Hunny, I have to go scuba diving for our passwords.”

(This was meant as a joke)

Most passwords can be converted to passphrases to help you remember them. A password “8pmfvt3bww7t” could be remembered as “8 pandas might find vases that 3 bears will wash 7 times.” Obviously not all passwords will work for this, but it’s a good way to remember random strings. Passphrases are long in characters but have an entropy dependent on how long your wordlist is. For example, 3 words might be 20 characters, but it’s easy to guess 3 words since you’re not going character by character.

My method is that I have a passphrase with some special symbols that unlocks my database and it is decently long.

Where is your password stored? If it’s only by memory, what happens if you forgot it or needed someone else to unlock it in an emergency?

If you completely lose your password to your vault there is nothing you can do, simple as that. Don’t lose it.

Unfortunately, as mentioned in the post, there are some ways to lose access to your password that are out of your control. Furthermore, the more places you store your password the less secure it is. It would be a lot easier to be able to authenticate with multiple authentication methods individually, than to rely on having access to all of them at once. That’s the problem I’m trying to address here.

Cloud-based sync is incredibly easy with self-hosted cloud, as pointed out by the KeePassXC FAQ. Self-hosted cloud is effectively a local solution.

It is still subject to the issues listed in the 3-2-1 rule, however the goal of self hosting itself conflicts with that rule (since the rule dictates the use of off-site cloud storage). I will note, it does somewhat solve the issue of keeping database backups, as any device pulling from the local cloud server effectively becomes a backup of your database.

This topic was already covered over a week ago.