[thot_experiment]

I don't think that having a unique password per site is unachievable. I do it and I don't use a PW manager. Even something as simple as prepending the site name in ROT13 to a reused password greatly reduces your exposure to the sort of background infosec threat radiation that's like 99.99% of the threat model for most people

[CJefferson]

That gets broken as soon as some site requires you rotate your password, or you choose to rotate it (maybe you entered it on a device you become suspicious of). Now how do you remember the password for every website? You could keep some kind of.. list, but then we are getting close to being back to password managers.

[george_probably]

Cool, now go explain that to your parents. NOW make sure they go through and change every single password on every single account they currently have and don't just get annoyed like 5 passwords deep and decide not to bother.

The issue isn't you or me, it's what 99% of the world has to use. For the large majority of people, a password manager with one super strong password (and 2FA) makes WAY more sense.

[civopsec]

> Even something as simple as prepending the site name in ROT13 to a reused password greatly reduces your exposure to the sort of background infosec threat radiation that's like 99.99% of the threat model for most people

If one goes with the infosec advice that you should calculate the entropy of passwords based on the assumption that the attacker knows the password scheme, then this password scheme provides zero entropy. So if there is zero cost for the cracker to pwn you as well as all the others that don’t have this kind of leetspeak obfuscation then you’re still pwned.