Document best practices for managing and memorizing passphrases

[tildelowengrimm]

Passwords are terrible. When https://github.com/micahflee/passphrases (or the like) is ready, it should be recommended as a useful way to memorize diceware passphrases. However, the documentation should acknowledge the logistical and practical limitations of passphrase memorization and acknowledge other approaches which are easier but less secure — like keeping the passphrase on a piece of paper in a locked drawer or safe.

[garrettr]

Chatted with @micahflee about his Passphrases tool. It's currently unfinished and he has no plans to work on it. I don't know of any similar tools that we might consider recommending.

For now, we should focus on documenting best practices for both memorization and reasonably secure physical storage of passphrases, as recommended by @flamsmark. We can revisit tooling if any promising projects similar to Passphrases come to our collective attention.

In the long run, we might consider adding features to SecureDrop itself to assist users in memorizing passphrases: for example, a simple "Practice your Passphrase" view in the Source Interface, which would prompt sources (who are already logged in) to type their passphrase, then provide feedback on whether they got it correct or not. The elegance of such a feature will obviously be limited by the "no Javascript on the Source Interface" constraint, but I think it is possible to implement something that would still be helpful.

[redshiftzero]

I like the "Practice your Passphrase" idea! If sources don't find the delay too annoying between attempts, it could obviate the need for them to ever write it down.

[garrettr]

It's important to note that there are two distinct groups of SecureDrop users who need to recall passwords:

1. Sources
2. Journalists/Administrators.

Advice for them should be similar, but may differ in some key ways. The advice will also have to be communicated in a mix of different locations (e.g. on the Source Interface, on the Journalist Interface, and in different locations in the documentation).

I think a "Dos/Donts" list is a good format for this type of advice.

Recommendations for Sources

1. Do memorize your passphrase.

   • You should avoid creating physical or digital associations between yourself and your passphrase as much as possible in order to preserve your anonymity.

2. If necessary, do write your passphrase down to aid in memorizing it.

   • Do store it in a safe place, such as a safe at home, or on a piece of paper in your wallet.
   • Do destroy it as soon as you feel comfortable that you have the passphrase memorized.
   • Don't store it on any digital device, such as your computer or mobile phone.

3. Do review your passphrase regularly. It is easy to forget a long or complex passphrase if you only use it infrequently. We recommend reviewing your passphrase (e.g. by ensuring that you can log in to your account on the Source Interface) on at least a monthly basis.

Recommendations for Journalists/Administrators

These are similar to the recommendations for Sources, but there are a few differences due to differences in their threat model. The key difference is that journalists/administrators do not require anonymity, so it is less important to avoid creating associations between their identity and their credentials. Of course, it is still important for them to avoid losing control of their credentials to prevent unauthorized access.

Another key difference is that while sources only have one passphrase to memorize, journalists/administrators have a bevy of credentials that they need to keep track of. In general, we have tried to minimize the number of credentials that they need to personally memorize and manage, although there is still more work to be done on this front. We should encourage the appropriate use of password managers (such as KeePassX, which is included on Tails) to reduce the risk of losing availability due to a user forgetting their credentials.

In general, each administrator should have to:

1. Keep track of their Admin Workstation Tails USB
2. Remember the passphrase to unlock the persistent storage on that Tails USB

And each journalist should have to do the same for both their Journalist Workstation Tails USB and their Secure Viewing Station Tails USB. Memorizing further passwords beyond that point is counter-productive: an attacker who has access to any of those environments will be able to easily pivot to anything they wish to access, and increasing the burden to keep track of additional credentials is unpleasant for journalists and administrators and increases the risk that they will forget or use weak credentials, potentially compromising availability and/or confidentiality.

[garrettr]

Work in progress branch: https://github.com/freedomofpress/securedrop/tree/1136-passphrase-best-practices (warning: may get rebased at any time).