Conversation

Hector Martin
@marcan42
This is why I'm reluctant to recommend "any" password manager. You should use one, but which one? I know people who keep their passwords on text files in the cloud, and honestly that's better than many online password mangers.
Quote Tweet
Tavis Ormandy
@taviso
I always get angry replies when I say "use a password manager" is bad advice, but I stand by that! Here are some weekend thoughts about it lock.cmpxchg8b.com/passmgrs.html (tl;dr just use chrome!) 😆
20
84
Hector Martin
@marcan42
And also: long, random passwords are useless on online services. You should be using different passwords everywhere, and once you do that, it **doesn't matter** if the passwords are offline crackable. If the site got pwned and the hashes dumped, then the site got pwned anyway.
3
33
Hector Martin
@marcan42
I use default `pwgen` passwords (8 char pronounceable) for everything that isn't used to derive/wrap an actual encryption key, because that gives me a chance to actually remember the ones I use frequently.
5
30
Daniel Micay
@DanielMicay
Replying to
@marcan42
Most sites have email password recovery with no friction (1FA via email) so it doesn't really matter if you save the password at all. You can set a new random one when the session expires. Perfectly good way of dealing with unimportant sites you hardly ever use (most of them).
1
2
Daniel Micay
@DanielMicay
Replying to
@DanielMicay
and
@marcan42
They either have 1FA via email, SMS or either option. It's usually not possible to disable it. They make you set a password on top of that as another option, but you don't need it. Just throw it away. I probably only use ~3 sites where I'm not forced to have 1FA via email/SMS.
1