[jwl]

If we make a crude risk assessment, it is way more likely that her account will be randomly hacked by a botnet if she has "kitten4" as a password than someone actively stealing her purse to get her passwords. And if the notebook with passwords was stolen/lost, she would at least know it and be able to take preventive measures.

For most people, writing (good and unique) passwords down in a notepad is a way more secure system than having the same bad password for every account.

[emj]

You only need unique passwords and a username.

Having a botnet guessing the random "kitten4" password for a random user account, is as likely as having your purse stolen for the passwords on that note. FWIW "m" is almost a secure password on a root account with an SSH that allows password authentication, even if you allow brute force attacks. Imperically speaking, obvisouly it's going to fail in the end but I hope you get my drift.

[badprose]

> FWIW "m" is almost a secure password on a root account with an SSH that allows password authentication

This is very counter-intuitive. Is the idea that guessing both the username and the password together is much harder than guessing the password when you already know the username?

In the kitten4 example, I would guess most botnets are working from a list of usernames/email addresses that they got from leaks.

[emj]

Thanks, I missunderstood GP about how kitten4 was used.

> Is the idea that guessing both the username and the password together is much harder than guessing the password when you already know the username?

No, to be clearer no one in the last 6 years has ever tried "m" as a password on my root accounts.

I feel very strongly that there is too much stigma around passwords, kitten4 is a nice password if you use it only once.