Conversation

This is why I'm reluctant to recommend "any" password manager. You should use one, but which one? I know people who keep their passwords on text files in the cloud, and honestly that's better than many online password mangers.
Quote Tweet
I always get angry replies when I say "use a password manager" is bad advice, but I stand by that! Here are some weekend thoughts about it lock.cmpxchg8b.com/passmgrs.html (tl;dr just use chrome!) 😆
20
84
And also: long, random passwords are useless on online services. You should be using different passwords everywhere, and once you do that, it **doesn't matter** if the passwords are offline crackable. If the site got pwned and the hashes dumped, then the site got pwned anyway.
3
33
I use default `pwgen` passwords (8 char pronounceable) for everything that isn't used to derive/wrap an actual encryption key, because that gives me a chance to actually remember the ones I use frequently.
5
30
Replying to
Most sites have email password recovery with no friction (1FA via email) so it doesn't really matter if you save the password at all. You can set a new random one when the session expires. Perfectly good way of dealing with unimportant sites you hardly ever use (most of them).
1
2
Replying to and
I'd prefer not having 1FA via email for sites I care about but it's usually not an option. As an example, Twitter allows hijacking an account via email and they don't bother to authenticate the email server via either WebPKI (MTA-STS) or DANE. It applies to nearly every site.
1
4