alee/relicario
1
0
Fork 0
Code Issues Pull Requests 8 Actions Packages Projects Releases Wiki Activity
Files
65d53af59435fcb8bd78c57cf55bb98f187b41ce
relicario/user_docs/passwords-and-generators.md
adlee-was-taken 3ab1320f42 docs(user): add user_docs/ end-user guide (12 pages) 
A friendly, task-oriented guide for non-technical users: README index,
getting-started, concepts, items, passwords-and-generators, totp,
attachments-and-documents, organizing, sync-and-backup, the-browser-extension,
recovery, faq. Every command/flag derived from the actual CLI surface
(`relicario --help` tree) and real extension behavior — no invented flags.
Org item-type parity is covered high-level pending the v0.8.1 B/C merge
(two TODO markers left for the rebase).
2026-06-20 21:08:00 -04:00

4.7 KiB
Raw Blame History

Generating strong passwords & passphrases

This page covers how to generate passwords and word passphrases with Relicario, how to check the strength of a candidate passphrase, and how to save your preferred generator settings so you never have to repeat yourself.

Two modes: random characters vs. word passphrases

relicario generate has two modes:

Mode What you get When to use it
Random characters (default) x7#Kp!mQr9Ew2@LnVdZ Site passwords, API keys, anything with a character limit
BIP39 word passphrase (--bip39) olive bridge furnace tangle whisper Your vault passphrase, disk encryption, anywhere you have to type it by hand

Quick examples

Generate a random 20-character password (default settings):

relicario generate

Generate a longer, 32-character password:

relicario generate -l 32

Generate a 6-word BIP39 passphrase:

relicario generate --bip39 -w 6

Generate a BIP39 passphrase with dashes between words instead of spaces:

relicario generate --bip39 --separator -

All flags

relicario generate [-l/--length N] [--bip39] [-w/--words N] [--symbols <SET>] [--separator <S>]
Flag What it does
-l, --length N Total length of the random-character password
--bip39 Switch to BIP39 word-passphrase mode
-w, --words N Number of BIP39 words to include
--symbols <SET> Symbol set: safe, extended, or a custom literal (e.g. !@#)
--separator <S> Word separator for BIP39 mode (e.g. a dash or an underscore)

About --symbols

  • safe — a conservative set that works on most sites without paste-rejection headaches.
  • extended — a broader set of symbols for maximum entropy when sites permit it.
  • custom literal — pass exactly the characters you want, e.g. --symbols '!@#'.

Defaults

Outside a vault, the built-in defaults are:

  • Random mode: length 20, symbol set safe
  • BIP39 mode: 5 words, separator space

Inside an initialized vault, any flag you leave off falls back to your saved generator defaults (see below). This means relicario generate inside your vault already "knows" your preferences — you only have to set them once.

Saving your generator defaults

Run this once inside your vault directory. Any flag you pass gets saved; flags you omit stay at their current value.

Switch to BIP39 mode and use 6 words by default:

relicario settings generator-defaults --bip39 --words 6

Switch to random-character mode with length 24 and extended symbols:

relicario settings generator-defaults --random --length 24 --symbols extended

Set a custom word separator for BIP39 mode:

relicario settings generator-defaults --bip39 --separator -

Full flag reference for settings generator-defaults:

Flag What it does
--random Switch the saved default mode to random-character
--bip39 Switch the saved default mode to BIP39 passphrase
--length N Random mode: default password length
--words N BIP39 mode: default number of words
--symbols <SET> Random mode: default symbol charset (safe, extended, or a custom literal)
--separator <S> BIP39 mode: default word separator

To see all current settings (including your saved generator defaults), run:

relicario settings show

Checking a passphrase's strength

Before committing to a passphrase, you can score it:

relicario rate "olive bridge furnace tangle whisper sunset"

Or pipe it in from stdin (keeps it out of your shell history — recommended):

relicario rate -

Relicario prints a score from 0 to 4 and an estimated number of guesses. Higher is better; aim for a 4 for anything important.

Informational only. The rate command does not block you from using a weak passphrase. It is purely a tool to help you make an informed choice.

A note on your vault passphrase

Your vault passphrase is Factor 1 of your two-factor encryption — the thing you type to unlock everything. A few things worth knowing:

  • Make it strong and memorable. You cannot reset it if you forget it (there is no recovery path for a lost passphrase — see Recovery for the full picture).
  • A BIP39 word passphrase is a great choice: easy to write down and type, hard to guess. Generate a few candidates with relicario generate --bip39 and use relicario rate to compare them.
  • Your passphrase is always entered locally, at a hidden prompt. It never leaves your device.

For a plain-language explanation of why both your passphrase AND your reference image are required to unlock your vault, see Concepts.

Next: Two-factor codes (TOTP)

Reference in New Issue View Git Blame Copy Permalink