Password reuse is rampant: nearly half of observed user logins are compromised
Password reuse is rampant: nearly half of observed user logins are compromised
While I understand that password reuse is a problem I also understand that remembering 50+ passwords, because literally everything requires you to make an account, is impossible. And some of these password managers seem shady themselves. And if said manager needs a password that means someone only needs the one password which puts us back at square one.
These days I've resorted to physically writing my passwords down because I straight up don't trust anything that connects to the internet anymore for this kind of information. Like some lame puzzle in a video game where you have to look around the room for the password. But it still feels safer than anything that's connected to the internet.
How about KeePass then? It's an encrypted local database file you can sync/backup how and where you want. There are clients to open/edit it for Android, Linux and even Windows. The Android version can use fingerprint, if your phone has this hardware.
This feels a little too tinfoil-hat for me. The reality is that one strong password is going to be more secure than 50 weak passwords. If you use something like a passphrase with 30+ characters, cracking it with today’s methods will take longer than the heat death of the universe. Yes, it means all of your eggs are in one basket. But that’s why it’s important that basket is protected like Fort Knox.
And change the master password every year or two, which likely also upgrades the key used to encrypt your secrets. Someone breaking into your password manager is a lot less likely than someone breaking into one of the dozens or even hundreds of services you probably reuse passwords on.
This feels a little too tinfoil-hat for me.
Nah a lot of those services are ripe for abuse... The correct answer is to just use your own... keepass for "offline" on a USB stick type of thing... or host your own vaultwarden.
I reuse passwords quite intentionally. It reduces memory use.
Does the account have any saved personal info (other than email)? No? Continue.
Was the account used for credit card info? No? Continue.
Do I care about the account in some way? No, plus no to all of the above? Don’t care, use an easy to remember password and don’t bother saving it to my overly bloated password manager.
It absolutely causes problems with some cloudflare sites because that email/password combo was compromised decades back, but I usually have no intention of accessing the account again when I use it so I don’t actually care. It’s their problem at that point, and I never use legit info for any of it anyway (I have a spam email I use for these things, never with my own name or info, because they don’t fucking need it)
Does this account for the fact that it's a username password combo that makes it compromised? Just because larry_arsewipe@hotsnail.org used hunter2 as his password and got it leaked doesn't mean my credentials are at risk even if i used the same password.
I guess even then we're meant to be using random strings etc but that's pretty difficult when most people on the internet are old enough to remember when password managers that automatically generated secure passwords weren't a thing. When you're told to never write down a password and had to remember it manually you just created a universal password that you'd jam into everything else.
Yes and no, in my opinion. Attackers can keep a list of all compromised passwords, and try it even for accoints that may not be associated. This is a much smaller search space than to go through every possible password of length <= 32 (for example).
Lists of real passwords are very useful for helping attackers crack passwords. Lists can be hashed with various algorithms and then the hashes compared against exposed password hashes. If a hash matches then you know the password, without having to actually brute force the password in order to try and match the hash.
Unique, strong passwords are the most safe. Reused passwords are for sure weaker if you use the same login/email along with them, but even if you use the same password with unique usernames, it's still less secure than unique passwords.
I can use pishadoot everywhere on the internet (bad for other reasons, but as an example) and if I use unique passwords everywhere, my accounts aren't any less secure, they're just all easily tied together. If I use unique usernames everywhere but reuse the same password, in theory ALL of my logins are now more vulnerable to attack.
