For password management:
“Practical” means it works in practice, and “secure” means protected against compromise and actually works. How do we get the highest P + S value?
I am convinced that all encryption keys for files, not just certification keys, should be generated by a TRNG, be stored offline in a virgin air-gapped device (you first heard it here: never touched the internet), and the passwords should be stored on the air-gapped device too. Forget trying to remember really good passwords because we cannot do it. For example:
-D('w'!\":4D$ aC!)^x#82z-1&:=7c*$ Ege^)x+_mQN0i:!*515i?zaf
Now we have a physical security problem, and that is very good because it is a problem I can solve. The threat is not in my hometown, my neighborhood, etc., but rather on the big collection platform called the Internet. It is in Novosibirsk.
I am for writing all passwords down, but the trick is that what I write down is not my password and the method to figure out the real one is easy to remember. Huh? What I remember is what my passwords aren’t, and I use a pepper (but no pepper with keys…). Substitution and transposition, Russian copulation, etc., whose value can be quantified and whose strength still depends on the key–all of which is relatively easy to remember. And then I change the method once in a while. I don’t mind writing my pseudo-passwords on a little piece of paper to be stored in my wallet.
What ends up happening is that I do a lot of pecking at the keyboard, true, but one should, and I get to use really tough passwords–either for use on an air-gapped system or not– that employ all 94 characters, are truly random, and can change often. And I skip password managers, which I regard as dangerous.
Is that the best Security + Practicality solution?