[SwellJoe]

So many people do this. It's the real problem, from my perspective, but I don't know how to solve it...even people I have the opportunity to talk to about it, at length, and explain the risks (like girlfriends), often still keep the same practice. Sometimes, they'll compromise and introduce a "secure password" for important stuff like bank accounts and GMail, and an "easy password" for stuff like forums and unimportant stuff.

An end to passwords would be awesome. But, I haven't seen a compelling solution to the problem.

[angrydev]

The solution is to use a password manager. Keepass and Lastpass are pretty popular solutions and you'll be thankful later when one site is inevitably compromised and you don't feel like you have to change all your passwords.

It is absolutely worth the time to setup and start using.

[SwellJoe]

That's my solution, but I've been unable to convince others to do the same. It's too complicated, they get confused, it doesn't work automagically enough. Whatever the reason, I have never successfully converted someone non-technical to using a password manager.

[web007]

Those are great, and I've used 1Password and LastPass to generate / store passwords for a couple years now, but they're not a proper solution.

If I have my super-secure password that I generated in my browser, Chrome will sync it and let me log in on my browser too. Great! Now how do I get that into my phone when the APP requests me to log in?

Answer: Some password system needs to tie into the IME of computers and phones in order to be effective and secure wherever your passwords need to go.

OpenID / OAuth seems like the general answer, but it's not easy to use, and it's not practical unless I can get my bank, Facebook, some mom-and-pop website and HN to all use the same system. IME integration would bypass all of these, and would be so much simpler than getting everyone to learn the OAuth dance.

[rogerbinns]

> Now how do I get that into my phone when the APP requests me to log in?

As someone who recently factory reset their tablet and phone, boy was that painful. The password generator passwords are long and use a wide variety of characters, numbers and punctuation. Entering them is really tedious and time consuming. Usually you can't see the entered password so a single error means you have to keep trying again.

[fluidcruft]

Hm. Maybe something like a qr-code keyboard that would allow you to scan and enter a code from your monitor into a text field?

[stephengillie]

I've been using a password manager to manage my super-secure password system for a few weeks. Since I started, my friends have been calling me paranoid.

What disturbs me about this, why I feel it's relevant, is that these are people with the technical ability to configure their own minecraft servers and run jailbreak/root(?) hacks on consoles. Almost all of them have at least taken 1 or 2 C++ college courses or Codecademy courses. These people aren't technically challenged, nor are they Luddites. They should be aware of how insecure most passwords are, but they feel it's not relevant to their life.

Any suggestions on how to deal with that problem -- people calling you paranoid because you don't use an easy to remember password on all sites?

[A1kmm]

> Any suggestions on how to deal with that problem -- people > calling you paranoid because you don't use an easy to > remember password on all sites?

They think you are paranoid because they think that you are worried about Mark Zuckerburg logging in to your Google account or something along those lines. Explain that websites get compromised all the time - you could bring up the LinkedIn (http://lifehacker.com/5916177/65-million-linkedin-accounts-m...) or the Gawker (https://gawker.com/5712615/commenting-accounts-compromised-+...) compromise if they use one of those sites, and that when criminals get things like your Google passwords, they will often delete your data and try to scam your friends out of money - there are many stories, here is one about it: http://bits.blogs.nytimes.com/2007/11/09/e-mail-scammers-ask...

[stephengillie]

Merely linking to this blog on Facebook got me called paranoid by one of these friends just a few hours ago.

[fluidcruft]

When you open an entry in KeePassDroid it adds entries to the notification pull down menu to copy either the username or password. I find this works quite well. Browse to the key in keepassdroid, then go to the app you need to login to. Pull down the notification shade and select copy username to clipboard. Paste. Pull the notification shade and select copy password to clipboard. Paste. Done.

[ahlatimer]

1Password has an iPhone app (and probably Android, too). You can sync all of your passwords over the network or dropbox. It's a bit more tedious than just using the 1Password browser plugins, but it works. Just copy the password from the app and paste it into the app/website/etc. 1Password will also open a browser window and enter your account details for you if you're using mobile web.

[drivebyacct2]

LastPass has a great mobile apps with "copy notifications" if you're fortunate to be on Android. It makes it much faster than it would be typing a password anyway.

[FireBeyond]

So many people /do/ do this - but how many of them deign to lecture a CSR at a cell phone company on their lax security policies, then write up a long-winded blog about doing so, all the while being blind to, or wilfully ignorant of, their own security faux pas?

Oh, and now the CSR knows his banking password too. Handy.