[phase_9]

I've just spent the last couple of hours creating unique longins for every site I can remember having a login for and storing them in Keepass (opensource password safe). The Keepass database is stored on my dropbox account so it's automatically synced to all machines / devices I use.

I get the impression this is going to be a bit of a PITA, but with the rate these sites are being breached it's probably a sensible move.

[bigiain]

FWIW, I did this a few years back (with 1Password, after having used Password Gorilla for a while). With the browser integration 1Password (and, I think keypass and lastpass) use, I think it's actually a productivity plus rather than a PITA...

[niels_olson]

Concur: I use 1password and lastpass. There are a couple of critical accounts that are actually wrong in each (non-overlapping) and a couple I still only have in my head, but overall it's a huge plus on a day-to-day basis. And it's an incredible relief to read these announcements, pull up my password for that site, and see it's 20 random characters that I know aren't useful on any other site.

[bigiain]

Yeah, my three internet banking passwords are in my head only, as are my two dns registrar accounts - they're all 5-6 word passphrases (with non grammatical capitalisation and punctuation) for memorability. The email account that all those accounts send password resets too is two factor authenticated and not used (or published) anywhere else. (I've got hints about these phrases stored in 1Password, but not the passphrases themselves.)

Everything else is 16char upper/lower/digits/punctuation randomly generated by 1Password (except where I need t back that down for sites/services that wont accept that length/charset).

I've also got my random 16char AppleID password in my head, since I end up entering that often enough into place 1Password can't autofill.

I _think_ that's "paranoid enough" at least for now.

One thing I'd like 1Password to do, is bug me about passwords that haven't been changed in some (configurable per login) time. I'm pretty sure in 2 years (or less) I'm unlikely to consider 16char passwords "long enough".