[Jd]

Yep, I use the exact same strategy as VonLipwig and recognize that many of my accounts could be compromised. However, without having a central email account compromised, the ability of attackers to find other sites or extract meaningful value from them is quite limited, IMO. In fact, I'm not sure that there is anything meaningful to be extracted outside of email / dropbox / bank accounts / lastpass / github.

[TeMPOraL]

> In fact, I'm not sure that there is anything meaningful to be extracted outside of email / dropbox / bank accounts / lastpass / github.

Some of the sites (the ones with more 'social' features) could be used by attacker to impersonate you in an social engineering attack.

[bigiain]

And it's not always clear at the beginning which sites are going to become those "more important" ones...

Way back when, in the days when I used a single "low grade" password for signing up and trying out sites, I registered on perlmonks.org, which I didn't ever end up becoming a regular contributor and pretty much forgot about. I also signed up for this new fangled "micro blogging" service 'cause I could use it to send free text messages to my friends overseas. It was called Twitter. 3 years later, I've got a quite vibrant social life going on in Twitter, and thanks to the browsers remembering passwords for me, I'd forgotten it was using my "low grade password" and I never upgraded it when the importance of that login increased. Until the perlmonks database (with its cleartext password storage) got exposed, and 5 or 6 hours later I started getting questions from friends about why I was spamming them on Twitter with Acai berry spam...

Now 1Password generates and stores all passwords for me. Its data is synced (via Dropbox) to my phone/sparephone/ipad/laptop/work machine/home machine/media center. I'm happy enough to not be able to log into any website whos password I've not bothered to remember when I don't have access to _any_ of those devices - I've got all 3 banking passwords in my head, two email passwords, a few important ssh key passphrases, and a few others (like my Apple ID password, since there's several places 1Password won't fill it in with CommandBackSlash, so I find myself typing it often enough to remember it), everything else I rely on my (multiply synced/backedup) 1Password database for.

Its working out _really_ well so far (I've been using it ~18 months, probably managed to transition to all random passwords about 12 months back.)

[spal]

You care about your identity and your tweets on Twitter. So, this is a sensitive account. It wasn't clear earlier whether you cared about your perlmonks.org identity so much. So, assuming the worst case scenario, this should have been considered a sensitive account as well.

This means that ideally you should have chosen two different passwords for both these accounts.

For some sites like reddit, HN, etc. one may know very well in advance that they don't care about their identity and they would be happy to create a new account when they lose one. I think these are the only cases where password reuse is justified.

[rohit89]

In my case, if the site becomes important to me, I change my password for that site. Except for certain sites, I don't make use of the browser remembering passwords feature.

[VonLipwig]

My most secure passwords are for Twitter and Facebook. I don't really use either anymore but I don't want to delete them as they contain some history.

The problem is that both position themselves as one login for tonnes of services. I do use Twitter to auth into services from time to time. This is why a strong password is important for these. An attacker could get into your account then cause some serious damage to your reputation both amongst your friends and to the outside world by authenticating themselves into one of the million services and acting like a prat.

I know that one of 3 passwords is compromised. All of my friends know it. Even some of my friends of friends know it. So far I haven't noticed any of my accounts being abused. If anything I have noticed friends using it as their memorable password :)

[Jd]

I agree, there is cause for some to be concerned about a "reputation damaging" attack. For most of us, however, this would be an annoyance and mere blip in our social presence. Also, what I mentioned is that there is not much incentive for anyone else to spend a lot of time and effort damaging my reputation. What would they get out of it, especially if the perpetrator remained anonymous?