derivepassphrase.git

@@ -49,7 +49,6 @@

 ### How-tos

 * How to choose a good service name

-* How to deal with "supported" and "unsupported" special characters (→ [TODO][BASIC_SETUP_PASSPHRASE])

 * How to deal with regular passphrase rotation/rollover (→ [TODO][BASIC_SETUP_PASSPHRASE])

 ### Reference

@@ -61,5 +60,4 @@

 * Why is `vault`'s `--repeat` option named this way if it counts occurrences, not repetitions?

 [BASIC_SETUP_PASSPHRASE]: tutorials/basic-setup-passphrase.md

-[BASIC_SETUP_SSH_KEY]: tutorials/basic-setup-ssh-key.md

 [HOW_TO_SSH_KEY]: how-tos/ssh-key.md

@@ -3,5 +3,7 @@ title: How-to overview

 ---

 * [How to setup `derivepassphrase vault` with an SSH key][SSH_KEY]

+* [How to deal with "supported" and "unsupported" special characters][SUPPORTED_SPECIAL_CHARACTERS]

 [SSH_KEY]: ssh-key.md

+[SUPPORTED_SPECIAL_CHARACTERS]: supported-special-characters.md

@@ -0,0 +1,48 @@

+# How to deal with "supported" and "unsupported" special characters

+

+Some services/websites impose a required minimum amount of "special characters" in their passphrases.

+`derivepassphrase vault` considers the following characters as special characters: `!"#$%&'()*+,./:;<=>?@[\]^{|}~-_`.

+However, in general, not every service/website will support this full range of special characters.

+Worse, the service/website may not explicitly list the range of special characters it supports.

+

+`derivepassphrase vault` supports restricting its range of special characters to `-_` via the `--dash` command-line option.

+Beyond this, `derivepassphrase vault` does not support arbitrarily restricting its range of special characters -- you cannot directly tell `derivepassphrase` that a certain special character is "supported" or not.

+Therefore, generating a passphrase acceptable to the service/website must be done indirectly, by finding a workable configuration.

+

+Typically, a base configuration is "mutated" by changing the passphrase length, or requiring more or less fixed characters, until a workable configuration is found.

+

+## Example

+

+The work account from the [tutorial "Setting up `derivepassphrase vault` for three accounts, with a master passphrase"][BASIC_SETUP_PASSPHRASE] has the following stipulations: exactly 8 characters, no spaces, and 1 special character, 1 letter and 1 digit.

+Per the tutorial, the first configuration was

+

+~~~~ shell-session

+$ derivepassphrase vault --length 8 --space 0 --symbol 1 --upper 1 --number 1 \

+>                        -p work

+Passphrase: [[I am an insecure master passphrase, but easy to type.]]

+r?9\XQR&

+~~~~

+

+… which contained the unsupported special character `&`.

+The stipulations forbid changing the length, but they do allow for the configured number of symbols, uppercase letters and digits to be mutated, and lowercase and uppercase letter counts to be exchanged.

+

+Some example configurations that might turn out to be workable:

+

+~~~~ shell-session

+$ derivepassphrase vault --length 8 --space 0 --symbol 3 --upper 3 --number 2 \

+>                        -p work

+$ derivepassphrase vault --length 8 --space 0 --symbol 1 --upper 1 --number 6 \

+>                        -p work

+$ derivepassphrase vault --length 8 --space 0 --symbol 3 --lower 3 --number 2 \

+>                        -p work

+$ derivepassphrase vault --length 8 --space 0 --symbol 2 --upper 2 --lower 2 \

+>                        --number 2 -p work

+$ derivepassphrase vault --length 8 --space 0 --symbol 1 --upper 1 --lower 1 \

+>                        --number 1 -p work

+~~~~

+

+For each such configuration, the user would check if the derived passphrase matches the supported set of special characters, and if so, use this configuration.

+

+If all such configurations are enumerated without success, then the service name would need to be changed, and the process repeated.

+

+[BASIC_SETUP_PASSPHRASE]: ../tutorials/basic-setup-passphrase.md

@@ -242,7 +242,7 @@ Other service providers may permit other characters (quite rare) or fewer charac

 !!! abstract "Further reading"

-    → How to deal with "supported" and "unsupported" special characters (TODO)

+    → [How to deal with "supported" and "unsupported" special characters][SUPPORTED_SPECIAL_CHARACTERS]

 For this case specifically, we restrict ourselves to the dashes as the only permitted special characters, and hope that this passes their passphrase policy.

@@ -305,3 +305,4 @@ This completes the tutorial.

 As a next step, you may want to [configure the accounts to use a master SSH key instead][BASIC_SETUP_SSH_KEY].

 [BASIC_SETUP_SSH_KEY]: basic-setup-ssh-key.md "Tutorial: Using a master SSH key with derivepassphrase vault on existing accounts"

+[SUPPORTED_SPECIAL_CHARACTERS]: ../how-tos/supported-special-characters.md

@@ -100,6 +100,7 @@ nav:

   - How-Tos:

     - how-tos/index.md

     - how-tos/ssh-key.md

+    - how-tos/supported-special-characters.md

   - Reference:

     - reference/index.md

     - Man pages:

@@ -15,6 +15,7 @@ nav:

   - How-Tos:

     - how-tos/index.md

     - how-tos/ssh-key.md

+    - how-tos/supported-special-characters.md

   - Reference:

     - reference/index.md

     - Man pages: