[xlii]

Have you tried using password manager?

The one I'm using has capability to store multiple logins for the same site with easily-searchable notes (i.e. Displayed in pop up when on site).

For some sites I have like 20 sets of credentials and I never had a problem with keeping up with them.

[benrbray]

Password managers don't help when you need to log in to a computer you don't own, e.g. a public computer at a library or office. Using password managers just makes it easier to lock yourself out when you need access most.

[octalmage]

You've got web interfaces and mobile apps. I use 1password and don't have this problem.

[brandon272]

I have no interest in logging into a password manager web interface on a public PC. (But that's just me.)

[phdp]

You don't. You pull up your password on your phone and type it in manually onto the computer.

[darylfritz]

> You pull up your password on your phone and type it in manually onto the computer.

Sounds like someone isn't using a 100-character randomly generated password.

[zeveb]

With mixed-case letters and digits, all you need are 22 characters.

A 128-bit security margin is considered good enough currently; a 62-character alphabet (26 lowercase, 26 uppercase, 10 digits) provides 5.95 potential bits of entropy per character; thus a 21.50-character password would provide 128 bits. You can't have a fractional character, so … 22 characters.

Typing 'tgcSq08O2fEZ5hcZk3Gvgk' in from a screen is easy enough, although not something I'd want to do every day.

[Ajedi32]

Maybe try InputStick then?

Though I think 100 random characters is well beyond the point where you're no longer significantly increasing security by adding more characters. You can easily get 130+ bits of entropy with only 20 characters, and even for a ridiculously weak hashing algorithm like MD4 that'd be enough to withstand the entire combined strength of the Bitcoin mining network attacking your password for well over a billion years.

[brandon272]

Parent poster said "web interfaces"

[darylfritz]

Thanks to 2FA, I don't have a huge concern logging into a password manager on a public PC.

[brandon272]

Perhaps I'm overly paranoid. A public PC could be infected with god-knows-what malware that siphons off whatever that text is entered or rendered in a page or on the screen.

[StavrosK]

I'm the same way, if I open my manager on a public pc, for all I know every single password I have is compromised.

[tomp]

I wonder if there's another way to solve this problem. For example, a plug-in that would store cookies as opposed to passwords - and then "populate" a new session with existing cookies to log you in transparently.

[y4mi]

that sounds like a security nightmare...

talking from experience: some sites also map the cookie to a browser id, making a migration useless. It just causes your session to get invalidated.

You can test this yourself because its pretty easy to 'import' cookies between browsers on the same pc. or it was the last time i tried it.

[tomp]

More of a security nightmare than passwords? Maybe, though I can't see why...

Anyways, yeah I thought about binding auth cookies to some kind of persistent hash, although I'm not sure what it could be... IPs change (laptops moving), so do user agents (browser upgrades)... I guess I'll need to test this!

[StavrosK]

I do use one, which is the only thing that helps. I think my Slack fear was because a few Slack credentials weren't added when I signed up, so now I'm just afraid of Slack.

Password managers do salvage this particular trainwreck, but it's still a wreck.