While I think this is good, for memorization, I use 25-40 character random ascii passwords using /dev/urandom or
. I write these down in a notebook that I keep in a small safe in my computer room/ study. I
also add random characters inserted into the computer generated password. Some of these passwords are memorized
and not written down anywhere. For example the codes I use for user login and for cryptsetup and gpg are
memorized, while the codes for github, protonmail, and other online services are written down in a notebook that I keep in a safe. I use different passwords for every distinct online service.
Ultimately I would want a system as follows: 2 factor authentication, Factor 1
would be a 20-30 character
memorized passphrase number combination as mentioned above in >>1328
or using random memorized ASCII like I currently do. Factor 2
would be a 3.5" floppy disk with 1.44MB of random ASCII characters generated using OpenBSD on a Sun Sparc or DEC Alpha air-gap computer, with read only permissions and a hash, and the write protect toggle on. You would boot
your computer using both the disk key with the non-guessable ,random passphrase and with the memorized code.
You would keep the key in a safe in your study when not in use or on your person 24/7. Preferably you would
need both keys to open the encrypted computer. The memorized passphrase would allow you to boot to the point
where you need another key to decrypt the entire volume. This second stage uses a non dictionary, anti-brute
force password consisting of 1.44MB of random ASCII, that can't be guessed or memorized, stored on a floppy disk
for rapid destruction by neodymium magnet, mechanical shredding, and burning with a lighter. Once the volume is unlocked the computer should instruct you to remove the disk from the drive and stow it away, so that the OS never gets to or has the chance to read the contents of the disk once authenticated.
Getting password one requires drugging and tricking you into verbally revealing it (torture, false promises, truth serum
Getting password two requires breaking into your residence and obtaining the disk before destruction by either
cracking the safe where you store it while you're sleeping or away, or by taking it off of your person before you have a chance to demagnetize, shred, and burn it, (all of which could be done in 10-20 seconds if practiced).
Getting into the computer requires both passwords, and password two can't be memorized ( but could be copied, but not
without your knowledge) So if password two is destroyed password one can't open the computer, and if you and password one are captured , you can still attempt to withhold password 1.
You could probably also try to do this with a CD ROM or DVD ROM disk. Rapid destruction will be more challenging although possible (Cross shredder with a grinder and some gasoline; this might take 1 min -2 min ) .
Someone should write a mod or patch for LUKS that enables this system to be deployed.