About the password manager question - a suggestion:

If someone is already using a password manager they are awesome and doing a smart thing and should be encouraged to continue doing it rather than told that xyz password manager is 'approved' or 'disapproved' for their wallet keys (and who here is in a position to audit all the password managers forever?)
perhaps they can ask some questions of their current password manager:
is it run by a company that could disappear one day?
if so are your passwords backed up in a secure form you can open with another tool?
is there any way the service you use could read your passwords?
(...more/better questions here)
if you are not completely satisfied that your current password provider is secure (does not have access to your passwords) or that they are long term futureproof (non-proprietary storage or secure back-up format) then consider using keepass instead or as well.
Then people can make an informed choice and not just take someone's word that their password manager is 'good' or 'bad' or feel discouraged from continuing to use something that works well for them in general.
ie suggest share the criteria primarily and the opinions secondarily. great if we can confirm some other options too as examples without offering a definitive guide that might not get maintained.
getting people to use ANY password manager is sooooo hard, if they are already doing it then they are already heaps better at looking after their passwords than most of the world.

Also - a note about passwords - On a quick scan I see the guide suggests using a line from a well known song - many security experts do not recommended this practice or at least suggest adulterating the string in some way with mixed characters - assume there are giant robot monsters out there spitting star wars quotes at your secured data!

#mmt #passwordmanager

I feel a bit divided. I notice this group (#mmt) has a tendency towards wanting to enable people by providing all the detail for someone to make an informed decision.
I believe this can (paradoxically) be disempowering.

My general preferred method for introducing people to new concepts is like this:

The one of the left is you drop all the detail at once. It sucks because there's heaps of theory and you have nothing to hang it on.

The one of the right is where you do several passes on the same concept, giving people enough to be able to put the idea into action. There are often ommisions or lies involved in keeping that first pass manageable.
Exploring the complexity is way more fun when you feel like you've got something a little bit (and you're not drowing in details).

My preference is to make beginner resources which follow this path:

1. I tell you what to do and tell you a simple story to help you grok it
2. We explore some of the complexity together, and I encourage you to go off the deep end and try and answer some questions yourself
3. You're your own explorer. I check in with you to share learning and learn from you.

TBH I get really annoyed with people delivering advanced level graduated / grey / complex thinking to beginners. e.g. Dan I would be hella surprised if you didn't have any opinions that could help me get going. Notice I'm using KeePass because you said it was good. I didn't want to do a literature review to get going. But now I've used KeePassX, I've gone and tried KeePassXC, and now I'm wondering why or whether it's better than OnePassword.
i.e. I think while there aren't absolute right answers, there are some kinda helpful opinions it would help people for us to share.

Perhaps this in itself is an experiment, and perhaps we should have resources for both paths and support people to know where they want to jump in. Actually I like this idea a lot. In depth resources are also rad.

image from a blogpost I wrote that's got some similar ideas but in the context of classrooms

ooooo you got me ranting - mix has some opinions about education. yessssir

hey @Dan Hassan I stated some strong opinions. I'm keen to check in on whether you have any pushback on them or where we're at.

Interesting learning: I did a speed-run of @Alanna through the multi-sig setup (because we both had a shit sleep, and I didn't want to hold this experiment up).

Alanna said "do I have to use KeePass or can I just use my password manager". I said "I don't know, I can't comment on it, don't know if we have a list of ok / not ok password managers yet. Sure, use your password manager"

So here's the bit interesting for the experiment :

• you now have a multisig wallet but we've not talked about which password managers we trust
• where's the bit where we do a security audit on ourselves?

This isn't meant as a singling out of Alanna. I think it's a very real world case. I was a bit hurried, and we could be fine, or I could have just comprimised the security of our shared wallet. Woop!

Related point but not a direct contribution to the teaching side of the conversation, @Dan Hassan @Alanna @mix I've been looking at MasterPassword this week, personally I think its pretty neat and has considerably less dependencies than other password managers I've used.

I've written a basic sketch on how to start using it. Future guides could include more in-depth exploration of how it works, how to ensure you can always access the software, etc.

Its easy to use, I (and I imagine others learning how to use it) would be more interested in how why/it works than how to set it up.

Hey folks! Loving this conversation so far.

My position on this is rather similar the comment here. Using any password manager is better than no password manager.

I would like to zoom out and look at this from a different angle for a moment.

What if instead of security being looked at specifically from the individual, we start to look at our interdependent security.

Lets start from the assumption that folks are not and never will be security experts. Lets not assume password best practice.

• Is it possible for an organisation to achieve reasonable security through #interdependent process
• Is it possible for an individual to achieve reasonable security through #interdependent process

In our 2/6 multisig wallet two compromises need to be made for someone outside the group to control the wallet.

In our 2/6 multisig wallet 5 wallets need to be lost for the funds to be locked in place.

Based on these two we can reasonably state: as you increase the number of signatories you increase the diffculty of outside control of the wallet. On the other hand fewer wallets need to be lost for funds to be locked in place.

As you increase the number of signatories you increase the risk s associated to a break down in consensus/group cohesion.

Many of us will have been part of relationships or projects which have gone through a break down in social relations at some point...

As part of this we could think about thinking through what would happen in the case of social breakdown. In commerce outside of state boundaries, such as commerical ships going through international boundaries, parties involved in some type of trade would elect arbitrators and then also the 'rule of law' they would follow...

How might #interdependent security increase with the election of arbitrators?

Ok, so - to zoom back in. I think any password manager is better than no password manger.

I think what we can offer this space actually are considerations and strategies / tools to tinker with the other aspects of 'security'....

ok cool - any password manager is fine. But KeePassXC is our recommended start point if you don't have one (this is my takeaway)

I like the interdependent security question @Dan Hassan. A lot. I notice that we just used a secure (encrypted, group verified identites) social network (scuttlebutt) to pass around a bunch of keys to set up a wallet.
I just imagined a future where you have a group here and I can push a button "start shared wallet" and select 5 friends.. the interfae takes care of the rest, all the others need to do is consent.

As to arbitrators - there's a common pattern I've heard in Savings Pools interviews that on the bank accounts they have 3 signatories - 2 from in the group, and 1 from outside it. It's a slightly different setup, but an interesting vibe which I kind of like.

"Need for arbitrators" is not something I feel the burn of at the moment. Perhaps there are stories about it's importance, but in the savings pools I've talked to, trust and group held conversation reign supreme.

@mix : "I just imagined a future where you have a group here and I can push a button "start shared wallet" and select 5 friends.. the interfae takes care of the rest, all the others need to do is consent."

In this future it would also be possible for each of the individuals to have their credentials sharded amongst their sphere of trust so that it's waaaaay less likely/possible for them to lose their shit. They could contact n of m (3 of 7) to authenticate they are who they say they are to be able to piece together their data again.

Thinking through this lense of #interdependent resilience at the social fabric layer as well as the technical fabric layer.

I suspect that's what we're inching towards envisioning rather than yet another 'wallet'.

Pdf article on password managers starts pg 76 - has section on criteria in the middle. ...( And lots of other good tips about passwords and security questions, email. Subaddresses etc.) - you know, in case anyone's educational needs require more than just being told what to use. ahem. https://www.trenholmstate.edu/uploads/library/Linux-Journal-2017-01.pdf