[sthreet]

The way I do it is going to be insecure the moment I lose one password, but it is easier for me to remember than these things. I have a phrase that is at least 8 characters long and then I add something specific for the service. The initial phrase includes a number and capital, for example "ExampleP1ss" and I really should have a symbol somewhere in it except I haven't signed up for anything that requires a symbol. Examples of things specific to this would be "hacknews", "hackernews", "hackerNews", "ycominator", "hackercombinator", ... How (in)secure is this?

I also have it written down because I figure if someone has access to my personal computer physically, and they want my passwords they can probably install some keylogger or something else I don't understand, and this way I'll never forget my password. I also have a list of services that I am signed up for so I don't forget to change my reddit password because I haven't used reddit in the last three weeks after something like heartbleed happens. What I will not do is store my passwords in my browser, that seems like an awful idea. Especially because some things automatically sync across browsers.

[Phlarp]

>What I will not do is store my passwords in my browser, that seems like an awful idea. Especially because some things automatically sync across browsers.

The serious browser extensions that do this use encryption for syncing, you are correct that centralizing them all in a browser extension is a negative for security, but the upside of having random and different passwords for each site or service _far_ outweighs the risks posed by centralization or browser storage.

The odds that one or more sites you use end up leaking your plaintext passwords is far more likely than Lastpass being hacked, even the odds of someone identifying your self described insecure pattern from a series of these leaks is far more likely than getting burned by an extension.

I had my apprehensions before starting to use a password manager, but after six months I consider it absolutely essential and urge everyone else to use LastPass or a similar addon. The benefits massively outweigh the risks.

[tyrust]

>The odds that one or more sites you use end up leaking your plaintext passwords is far more likely than Lastpass being hacked

I'm not sure this is a fair generalization, especially without knowing the sites sthreet visits. Lastpass holds thousands of passwords and is probably a pretty big target for hackers. I don't doubt that they have great security, but nothing is guaranteed; one should at least admit that trusting Lastpass as a SPOF is a non-trivial decision to make.

[lewisl9029]

Any idea why browsers haven't implemented their own native password generation functionality yet?

If nothing else, having this functionality built into popular browsers would increase public awareness of better password practices by at least an order of magnitude.

[forgotpasswd3x]

There's an option you can enable in chrome://flags to enable a password generator. I don't believe the user gets any control over the password's complexity right now, but it looks like it's something that the Chrome team is at least considering.

I'm not aware of anything similar being built into Firefox.

[Phlarp]

Great question, I'd love to hear from someone on the Chrome or Mozilla teams about this. Until then we'll just have to assume they are all busy finding new and interesting ways for browsers to use up more system memory.

[gkanapathy]

Safari on the Mac does.

[vollmond]

I would think something like LastPass would be a good solution for you. Sure, it syncs across browsers and is stored remotely (on LastPass's servers), but at least it's encrypted and allows you to easily have very different passwords for every service you use.

Currently, someone just has to compromise your account on one third-party service in order to compromise every service you use (do you use Yahoo Messenger? I think all passwords are cleartext for that).

With LastPass, someone would have to compromise the (likely more secure LastPass service, or physically access your machine (and then compromise LastPass) in order to access your passwords. Seems just as easy to use, but more secure.

[constexpr]

What I do for most sites is to enter a one-off random string and forget it immediately. I just leave myself logged in and when I get logged out I just use the email password recovery to set a new random password. Your email password recovery mechanism is already the weakest link.

[sthreet]

Well, some websites I use are annoying and log me out fairly frequently, or maybe I'm just not checking the "keep me logged in" or something. But doing that every day is a huge pain.