alee/relicario
1
0
Fork 0
Code Issues Pull Requests 8 Actions Packages Projects Releases Wiki Activity
Files
3ab1320f425a7fe970c85d1249f306a1d0ab8d02
relicario/user_docs/passwords-and-generators.md
adlee-was-taken 3ab1320f42 docs(user): add user_docs/ end-user guide (12 pages) 
A friendly, task-oriented guide for non-technical users: README index,
getting-started, concepts, items, passwords-and-generators, totp,
attachments-and-documents, organizing, sync-and-backup, the-browser-extension,
recovery, faq. Every command/flag derived from the actual CLI surface
(`relicario --help` tree) and real extension behavior — no invented flags.
Org item-type parity is covered high-level pending the v0.8.1 B/C merge
(two TODO markers left for the rebase).
2026-06-20 21:08:00 -04:00

153 lines
4.7 KiB
Markdown
Raw Blame History

# Generating strong passwords & passphrases
This page covers how to generate passwords and word passphrases with Relicario, how to check the strength of a candidate passphrase, and how to save your preferred generator settings so you never have to repeat yourself.
---
## Two modes: random characters vs. word passphrases
`relicario generate` has two modes:
| Mode | What you get | When to use it |
|---|---|---|
| Random characters (default) | `x7#Kp!mQr9Ew2@LnVdZ` | Site passwords, API keys, anything with a character limit |
| BIP39 word passphrase (`--bip39`) | `olive bridge furnace tangle whisper` | Your vault passphrase, disk encryption, anywhere you have to type it by hand |
---
## Quick examples
Generate a random 20-character password (default settings):
```
relicario generate
```
Generate a longer, 32-character password:
```
relicario generate -l 32
```
Generate a 6-word BIP39 passphrase:
```
relicario generate --bip39 -w 6
```
Generate a BIP39 passphrase with dashes between words instead of spaces:
```
relicario generate --bip39 --separator -
```
---
## All flags
```
relicario generate [-l/--length N] [--bip39] [-w/--words N] [--symbols <SET>] [--separator <S>]
```
| Flag | What it does |
|---|---|
| `-l`, `--length N` | Total length of the random-character password |
| `--bip39` | Switch to BIP39 word-passphrase mode |
| `-w`, `--words N` | Number of BIP39 words to include |
| `--symbols <SET>` | Symbol set: `safe`, `extended`, or a custom literal (e.g. `!@#`) |
| `--separator <S>` | Word separator for BIP39 mode (e.g. a dash or an underscore) |
### About `--symbols`
- **`safe`** — a conservative set that works on most sites without paste-rejection headaches.
- **`extended`** — a broader set of symbols for maximum entropy when sites permit it.
- **custom literal** — pass exactly the characters you want, e.g. `--symbols '!@#'`.
---
## Defaults
Outside a vault, the built-in defaults are:
- Random mode: length **20**, symbol set **safe**
- BIP39 mode: **5** words, separator **space**
Inside an initialized vault, any flag you leave off falls back to your **saved generator defaults** (see below). This means `relicario generate` inside your vault already "knows" your preferences — you only have to set them once.
---
## Saving your generator defaults
Run this once inside your vault directory. Any flag you pass gets saved; flags you omit stay at their current value.
Switch to BIP39 mode and use 6 words by default:
```
relicario settings generator-defaults --bip39 --words 6
```
Switch to random-character mode with length 24 and extended symbols:
```
relicario settings generator-defaults --random --length 24 --symbols extended
```
Set a custom word separator for BIP39 mode:
```
relicario settings generator-defaults --bip39 --separator -
```
Full flag reference for `settings generator-defaults`:
| Flag | What it does |
|---|---|
| `--random` | Switch the saved default mode to random-character |
| `--bip39` | Switch the saved default mode to BIP39 passphrase |
| `--length N` | Random mode: default password length |
| `--words N` | BIP39 mode: default number of words |
| `--symbols <SET>` | Random mode: default symbol charset (`safe`, `extended`, or a custom literal) |
| `--separator <S>` | BIP39 mode: default word separator |
To see all current settings (including your saved generator defaults), run:
```
relicario settings show
```
---
## Checking a passphrase's strength
Before committing to a passphrase, you can score it:
```
relicario rate "olive bridge furnace tangle whisper sunset"
```
Or pipe it in from stdin (keeps it out of your shell history — recommended):
```
relicario rate -
```
Relicario prints a **score from 0 to 4** and an estimated number of guesses. Higher is better; aim for a 4 for anything important.
> **Informational only.** The `rate` command does not block you from using a weak passphrase. It is purely a tool to help you make an informed choice.
---
## A note on your vault passphrase
Your **vault passphrase** is Factor 1 of your two-factor encryption — the thing you type to unlock everything. A few things worth knowing:
- Make it **strong and memorable**. You cannot reset it if you forget it (there is no recovery path for a lost passphrase — see [Recovery](recovery.md) for the full picture).
- A BIP39 word passphrase is a great choice: easy to write down and type, hard to guess. Generate a few candidates with `relicario generate --bip39` and use `relicario rate` to compare them.
- Your passphrase is always entered locally, at a hidden prompt. It never leaves your device.
For a plain-language explanation of why both your passphrase AND your reference image are required to unlock your vault, see [Concepts](concepts.md).
---
**Next:** [Two-factor codes (TOTP)](totp.md)
Reference in New Issue View Git Blame Copy Permalink