[deleted] do you recommend a 6 digit Pin or long password?

A long password is more secure given certain assumptions, but also less convenient. Which makes more sense depends on one's threat model.

    • [deleted]

    de0u couldn't I just have put more sensitive data in a secondary profile with a long password? I figured I could put the long password in my password manager that is in my first profile?

    thank you!

      [deleted]
      Unfortunately you cannot access the secondary profile with your password manager from first profile.
      That's the reason why I have changed from using the great local working KeePassDX app to the great online working Bitwarden password vault.
      Because after every change of any password I had to export my password database from one place/profile/device to every other place/device/profile.
      If I would at some point forget to export/copy/update a password, I could lock out myself forever.

        • [deleted]

        Eagle_Owl okay so if my password manager is in the owner profile then i can copy and paster the exta long password from my vault to open the secondary profile?

          PaulDavis I also am more than happy with a 6 digit pin.
          As @de0u posts, it's all about your threat level.
          And the level of competence of your aggressor.

          But, randomised keyboard? That's Spy vs Spy stuff.
          They would have to watch you entering your pin, probably on multiple occasions, and then have access to your phone.
          I'll take the risk that a 1 in a million chance won't befall me.

          [deleted]
          No!
          While you are in owner profile, you have no access to the login window for the secondary profile.

          For security reasons, I let Bitwarden delete a cached password after 10 seconds.
          – But even if I were to set this time to 10 minutes in order to first copy the extra long password from the password manager of the owner profile without stress and then switch to the second profile in order to paste it there – this does not work because the cache is deleted when switching to the second profile.
          – Or perhaps to put it in more understandable and technically correct terms:
          The cache of one profile is never available for another profile.

            • [deleted]

            • Edited

            Eagle_Owl do you have a suggestion on how to use longer passwords? or should i stick with the pin?

              [deleted]
              See my favourite comic strip for this topic:
              https://xkcd.com/936/

              I don't use a PIN – I don't want to rely solely on the secure element in the phone.

              Because you need one really strong password for your computer/smartphone and another one as master password for your password manager, which you as human can memorise and handle:
              Select the second method of this great comic, maybe better with seven words instead of four.
              Write it down on paper (!), keep it in a safe place!
              And use it constantly, several times a day at first, to really memorise it.

              The following method helps you to memorise it as quickly as possible:

              1. Be sure to write it down (on paper!) and put it in a really safe place (for emergencies).
              2. On your PC/laptop, replace your previous password with your new passphrase of four to seven words (paper with new passphrase really created and secured?)
              3. Set the time for locking the screen from 30 minutes (?) or longer to max. 15 minutes!
                This means you often get the login screen and have to keep entering the new password phrase.
                Annoying, yes, but you'll quickly memorise your passphrase!

              It's like in the old days when there were no smartphones/redialling and you had to type a phone number a lot if you didn't get someone on the phone straight away.
              You quickly memorised even complex phone numbers without wanting to. :-)

                • [deleted]

                Eagle_Owl thank you for the tips! Is 4 worlds okay or does it have to be 7?

                  I just use a 12-character password and my fingerprint.

                  Is that dumb?

                    The best solution I have for this is what I do.

                    I use a yubikey

                    The yubikey can act like a keyboard.
                    So I type in a shortish password then Press the yubikey and this the Automatically types characters as a keyboard.
                    taking my password upto 64, characters.

                      • [deleted]

                      L8437 how do you do that??

                        [deleted] so the yubikey has different features.

                        There is an option for "short press" and "long press" of the button.

                        You can type in your own diceware password in the yubi key "long press" option. (That way if you lose it, you can manually type it in yourself)

                        Then when you plug it into the phone, or computer, you press the button and hold for a second, and it then rapidly types what ever you have set.

                        So what you do is...

                        When you set your phone password....you decide to manually type a short easy one....followed by pressing the yubikey. Because the yubikey acts like an external keyboard this means you can have a much longer password without the inconvenience of having to type it in manually

                        This means, with the yubikey on its own only provides part of the password so you can't gain access to your phone with JUST the yubikey as you would need to type in your manual password beforehand.

                        Does this make sense?

                          • [deleted]

                          L8437 it absolutely does! I have yubikeys and have never tried this. how dod i get to those options?

                          • [deleted]

                          L8437 NVM figured it out!

                            [deleted]
                            4 words (not worlds, I know – funny typo) are enough for normal circumstances.
                            But if you have an idea for a great 5, 6, or 7 word passphrase, why not?
                            It depends on your threat model and a very clever 4 word phrase you keep really private can be better than a bad 7 word phrase – or a good 7 word phrase you don't keep really, really secret. ;-)

                            Blastoidea
                            No, absolutely not!
                            If it is good password (not anything we could find in any dictionary), then it's fine.
                            Assuming you don't live in the USA or another country where you can be punished for not unlocking your phone with a fingerprint when it is checked by a police officer, this is sufficient.

                            But even in countries with such dubious laws, all you need to do in the event of a police check is press and hold the power button and then quickly tap "Lock" or "Restart".
                            The password is then required (I personally wouldn't use a PIN, but a 6-digit PIN is also sufficient as long as the Secure Element can protect you with it).

                            L8437
                            Yubikey or any other hardware token:
                            Don't forget to buy at least two of them and use one or more of them as backup!

                            Because: if you loose one or it suddenly doesn't work anymore for any reason, then you are locked out.