Conversation

Hector Martin
@marcan42
This is why I'm reluctant to recommend "any" password manager. You should use one, but which one? I know people who keep their passwords on text files in the cloud, and honestly that's better than many online password mangers.
Quote Tweet
Tavis Ormandy
@taviso
I always get angry replies when I say "use a password manager" is bad advice, but I stand by that! Here are some weekend thoughts about it lock.cmpxchg8b.com/passmgrs.html (tl;dr just use chrome!) 😆
20
84
Hector Martin
@marcan42
And also: long, random passwords are useless on online services. You should be using different passwords everywhere, and once you do that, it **doesn't matter** if the passwords are offline crackable. If the site got pwned and the hashes dumped, then the site got pwned anyway.
3
33
Hector Martin
@marcan42
I use default `pwgen` passwords (8 char pronounceable) for everything that isn't used to derive/wrap an actual encryption key, because that gives me a chance to actually remember the ones I use frequently.
5
30
Daniel Micay
@DanielMicay
Replying to
@DanielMicay
and
@marcan42
I'd prefer not having 1FA via email for sites I care about but it's usually not an option. As an example, Twitter allows hijacking an account via email and they don't bother to authenticate the email server via either WebPKI (MTA-STS) or DANE. It applies to nearly every site.
1
4
Daniel Micay
@DanielMicay
Replying to
@DanielMicay
and
@marcan42
They either have 1FA via email, SMS or either option. It's usually not possible to disable it. They make you set a password on top of that as another option, but you don't need it. Just throw it away. I probably only use ~3 sites where I'm not forced to have 1FA via email/SMS.
1