[alkonaut]

A good password

- Must be likely to enter correctly on the first attempt, on a bad mobile keyboard, or using a TV remote.

- Must be likely to be remembered in my stupid brain even if I haven't used it for many years. Must work even on places

where you can't use a password manager (Such as a smart TV, games console, ...) Other less important requirements to me, in 99% of cases:

- It's hard to guess for someone else, unless it's an account where you mind someone guessing it.

The last point is key. I have thousands of accounts. And I care about people not breaking into maybe 4 of them.

I don't trust sites to have good lost password ("email login") flows. So for 90% of sites and services I use a password that is a) as simple as possible and b) as common as possible so I don't have to remember many. Yes I AM a developer. Yes I DO use a password manager. But I don't know whether I'll be able to use my password manager when I sign into a specific account next time. It's more likely than not that it ends up being on a smart TV or whatever. So I just use a stupidly simple password. Because for almost all sites, I don't mind it being guessed. Worst case I'll need to reset it. Or worst case someone starts a support request in my name at Logitech, or someone screws with my Netflix viewing history or whatever. But I don't care. Or rather, I care much less than I care about not being frustrated when desperately logging in via a TV remote 3 minutes after the game has started.

I guard the important accounts with 2FA (especially the mail account that in turn resets ALL these other poorly protected accounts!). But for 99% of stores, forums, services: I use the equivalent of "12345" as password. (really I use a small prefix word + the service name 'initials' as suffix and end with an exclamation mark to pass most password demands).

[pkaeding]

> where you can't use a password manager (Such as a smart TV, games console, ...)

I just open my password manager on my phone and type it in. On these passwords, I am likely to avoid special characters, since they are a pain to type on these 'keyboards'

[alkonaut]

That's WAY to much work. I used LastPass, 1Password and Keeper as password managers. None of them is good enough to use that flow. Either the password is short and simple enough that I want to tap it in with a remote (i.e. <8 lowercase chars forming a dictionary word with maybe a digit added for good measure) in which case I won't need the manager. Or it's longer or more complex than that, in which case I don't want to type it in. In any case, having to take out a phone, start the pw manager app, log in (even with face/thumbprint), search for the site and show the password before entering it, makes it like 5 steps instead of 1. Password managers that don't auto fill might as well not exist.

[bostik]

This is what diceware is the perfect remedy for. Sequence of randomly selected words with your choice of delimiter, reasonably easy to input even with a shitty touch-screen keyboard.

Surprised it's not a default option for modern password managers, to be honest.

[fanf2]

You should only rely on your memory for passwords that you use frequently. Rarely-used passwords should be kept somewhere safe and well-maintained, such as a password manager and/or on paper.

[alkonaut]

Rarely used passwords is often a "reset password" anyway. But if it's some store or whatever that I use maybe once every 5 years, does it matter what the password is? My point was this: for most accounts, there is no risk involved with anyone guessing my password. It doesn't matter whether I return to a store and some hacker has guessed the password or they were poorly hashed and their database leaked and my 12345 password was swiftly reversed. Because all you can do with my password on that store is... I'm not even sure what it is. Post spam in product review pages?