[arch-general] How long do you make the passphrase for the private key?

[Manuel Reimer]

On 24.06.19 18:00, mpan wrote:
>    If you’re using a password manager, you should not care about the
> password being “too long”. After all it’s not you who type it. Go for 16
> or 20 random chars.

If the key is too complicated to remember or to type in manually, then I 
have to use a password manager which now saves my password to local disk 
again. Maybe encrypted with a master password.

Then we are back at the starting problem.

If someone can take my private key file, then he can also take my 
password manager database.

How strong would you make this master password and where to save this 
one? A second password manager?

I think if really someone takes over control over my PC, then I have to 
expect the password to be gone, too. I someone is really able to take my 
private key file, then I think he should also be able to install some 
kind of key logger.

And I really think that finally someone *has* to come up with some 
replacement for this password nightmare. Some kind of hardware key maybe.

I could protect the private signing key with an UUID (just call uuidgen 
on console). This should be pretty hard to crack but is impossible to 
remember so I would have to keep this written down somewhere and need 
this piece of paper every time I unlock the key for signing.

Manuel