[nonrandomstring]

> The point of the article

It's fine that you found that to be the singular "Point" of the article. Discuss that if you like. But no, sorry, articles do not come stamped with "This is the point from which you will not diverge". My remarks are both relevant and valid and I do not wish you or anyone else to tell me what you think the "Point" of the article is. These comments are made in good faith (please don't bandy specious accusations of trolling) to address what I and many others consider a widespread misunderstanding around password security.

[card_zero]

I agreed with you, but I kept quiet because I am not a sensible person and I didn't want to make you look bad. But yes, my immediate reaction to the article was "just don't sign up for things, have a small number of passwords for a small number of vital things, no problem."

Somewhere I have a page in a notebook with 20 or so passwords written down (in the basic cipher I've used since I was 12). If this was stolen, after some effort, the thief would be able to access things like ... a forgotten Github account, my abandoned efforts to learn from Duolingo, and a Reddit account I haven't used for two years. I would be mildly irritated. I am happy with this arrangement.

[nonrandomstring]

> my immediate reaction to the article was "just don't sign up for things, have a small number of passwords for a small number of vital things, no problem."

I recently interviewed a bunch of people in the age range of 30 to 70 on "personal cybersecurity". A surprisingly large number, no, in fact the overwhelming majority though the same way as you... once you get to the limits of your memory with passwords it's dangerous and counterproductive to reach beyond that and it's time to cull and prioritise according to "attic theory" :)

Unfortunately many online services don't make it easy to delete accounts, nor do they time out after a sensible period like one year.

> Somewhere I have a page in a notebook with 20 or so passwords written down (in the basic cipher I've used since I was 12)

Before anybody tells you that "using a basic cipher" is weird or eccentric, maybe half of the over 50s I spoke to, all regular folks, told me they use the same paper notebook kept in a safe place at home plus some obfuscation. Also about "two dozen" (24) accounts seems the average pool.

Any more than that and I think the system is working backwards, placing an undue security onus onto the person and not the service.

Passkeys have their use (I keep some super important pass phrase protected ssh keys somewhere physically safe). And some people need to maintain a very large collection of access tokens, like if you're a system administrator and that's your job.

But I think creating a tower of cards that enables people to maintain over 300 accounts for casual, personal use, is a disservice and actually encourages bad security practices.