Quincy’s article on Medium about passwords might have you worried… but let’s be honest how many people really do use the same password for several sites?
I definitely do. And I definitely don’t like the idea of running around and resetting ALL those passwords.
What solutions do you use for managing your passwords? Does anyone use a password manager like LastPass?
I love the idea of passwordless login but it will probably be a while before something like this is broadly adopted across many sites.
Nowadays we can sign in almost to any site using our fb/google/twitter accounts. So no need to worry!
1 Like
I have given this a lot of thought because of a need to advise a lot of people on what they should be doing with regards to passwords. ( I work in a IT support role )
The solution I now suggest is to pick something complex and then use a variation on the theme for different websites or whatever you need a password for.
So for example, my basic password template might be hatsForSALE154!#
Then for GitHub I would use hatsForSALE154!#GH
For Gmail I would use hatsForSALE154!#GM
Make the base case complex, and then just vary it.
The advantage is you don’t need to memorize a bunch of passwords, you can recreate them on the fly, even after months of not using them.
2 Likes
This is really good advice!
I simply use LastPass and generate passwords. I have long and nonsensical word phrases I’ve memorized and use for google, amazon and lastpass itself, but the rest I simply let lastpass generate: so yeah, I don’t even know any of my passwords.
The idea of a password with a stem and a varying part is all right for some, but if everyone did it, the drawbacks would be obvious. Same reasoning goes for the supposedly secure “xkcd passwords” (e.g. “correct horse battery staple”). Most people will choose from their working vocabulary, not a whole dictionary (who wants “xanthosiderite” in their passphrase?), which gives the scheme much lower entropy than Munroe’s idealized model.
Passwords suck, and I’m pretty disappointed at SSO as an alternative. I don’t want Google, Facebook, or Github membership to become mandatory. Client certs were supposed to help fix this, but alas PKI remains an unfixable mess.
Huge +1 on that. I’ve been using LastPass for many years and am very happy with it.
Now that the company has been purchased by LogMeIn I’m keeping an eye on it, but since it has been vetted by none other than Steve Gibson, probably most famous for Spinrite (which I’ve been using for 10 years with great success), I’m willing to trust it for now.