[chronic940]

> store them securely in a password manager and use different passwords for each account​

You are about the 2% of the tech crowd (i.e, bay area software/data people). The vast majority of engineers do not use a password manager, let alone the entire US populace.

You severely overestimate the amount the average person cares about password security.

[dsacco]

We're talking about best practices; I didn't make any claim about how many people use password managers.

The point remains - if you want to follow password best practices and optimize for user safety, don't enforce arbitrary password changes. You're right about ordinary users - we should provide them with fewer opportunities to shoot themselves in the foot. The lower the frequency they have to focus on generating passwords, the better.

[rietta]

True. But its not just the Bay Area. My wife uses LastPass and 2FA and tells others about it at work and she's a mental health counselor, not a software engineer. I guess my influence did have some influence. My parents are also on 2FA. We're in the Atlanta, Georgia, area, not the Bay Area ;-p

[wayn3]

id much rather have a reasonable solution for widespread 2 factor authentication than this password mess.

with my bank i have a password, an app on my phone that generates a key and if i perform significant transactions, they call me to confirm before processing it.

the idea that i'm going to use a different password for every stupid site out there that i have an account with is a bit silly. if someone desperately wants to compromise some of them then so be it. hijack my twitter if it makes you feel better. im not going to waste mental energy on securing social media.

"just use a password manager" sounds cute. password managers are compromised, too. password managers are about as trustworthy as the people who operate them. theres no way im handing my passwords for bank accounts over to some random company and for passwords that protect pointless internet nonsense, im not going to use one either because its irrelevant.

you can invoke this whole "password managers are secure" hoohaa. if they ACTUALLY encrypt your passwords properly and ACTUALLY dont save them on their own servers for whatever they want to do with them later, then yes, they probably are secure. but theres no way to be sure that thats the case. Trusting a password manager introduces more uncertainty into your password woes than they will ever make you more secure, if you really think this whole thing through.

the other issue with a password manager is that in theory, they work across platforms. that ends rather abruptly when youre not in a browser and need to enter a password into an app on your phone.

[interfixus]

You seem to be operating under the assumption that all password managers are netbased and commercially operated.

This is not the case for PasswordSafe, not the case for the various Keepass implementations out there, and not the case for several other, lesser known projects.

I am a happy, contended and reasonably safe KeepassX user since many years ago. While I do see the point of two factor auth in certain situations, I sincerely hop and pray it never takes off in a mandatory big way, uncalled for annoyance as it is in most cases. My 36 character passwords usually do the job just fine.

[GordonS]

> if someone desperately wants to compromise some of them then so be it. hijack my twitter if it makes you feel better. im not going to waste mental energy on securing social media.

This is a bit short sited; if you use the same password for everything and your Twitter account gets broken into, then every site where you have the same email address is potentially also broken into

[defined]

You don't need to use a web-based password manager.

I use the standalone KeePass app across all my devices, and can paste passwords into apps with no browser access required. I believe KeePass is widely regarded by those who know more than me as cryptographically solid. The only pain point is keeping the databases synchronized across all devices, but it's not that difficult.