Conversation

Hector Martin
@marcan42
This is why I'm reluctant to recommend "any" password manager. You should use one, but which one? I know people who keep their passwords on text files in the cloud, and honestly that's better than many online password mangers.
Quote Tweet
Tavis Ormandy
@taviso
I always get angry replies when I say "use a password manager" is bad advice, but I stand by that! Here are some weekend thoughts about it lock.cmpxchg8b.com/passmgrs.html (tl;dr just use chrome!) 😆
20
84
Hector Martin
@marcan42
And also: long, random passwords are useless on online services. You should be using different passwords everywhere, and once you do that, it **doesn't matter** if the passwords are offline crackable. If the site got pwned and the hashes dumped, then the site got pwned anyway.
3
33
Hector Martin
@marcan42
I use default `pwgen` passwords (8 char pronounceable) for everything that isn't used to derive/wrap an actual encryption key, because that gives me a chance to actually remember the ones I use frequently.
5
30
Daniel Micay
@DanielMicay
Replying to
@marcan42
Most sites have email password recovery with no friction (1FA via email) so it doesn't really matter if you save the password at all. You can set a new random one when the session expires. Perfectly good way of dealing with unimportant sites you hardly ever use (most of them).
1
2
Daniel Micay
@DanielMicay
Replying to
@DanielMicay
and
@marcan42
I'd prefer not having 1FA via email for sites I care about but it's usually not an option. As an example, Twitter allows hijacking an account via email and they don't bother to authenticate the email server via either WebPKI (MTA-STS) or DANE. It applies to nearly every site.
1
4