top | item 16050924

(no title)

My alternative is believing that not all websites you log into pose the same risk to you and accepting some risk. This means I divide websites that require login into two categories:

1. I don't care if somebody gains access to my account

2. I do care if somebody gains access to my account

I use the same password for all the websites on the first category. It should be at least 8 characters long, consists of a made up word with some numbers and characters. Example: 7%Frifells. I drop the special character on websites that don't allow them in passwords and then it's a matter of failing to log in once and trying without it.

I use a different "xkcd" password (https://www.xkcd.com/936) for every website on the second one. Those are essentially catchphrases which I end up associating with the website I use them for. They consist of several words with numbers and special characters (using the example in xkcd, mine would be correctHorse?1batterystaple!).

So, I have to memorise about 8 passwords, all which make sense to me. In addition I have a password reminder file which consists of the website URL and the first two/three characters of the password. I don't bother adding completely unimportant websites from the first category.

If my password from category 1 gets compromised then it's a bit of a hassle to change the password on all the websites on the files, but no harm done. If a password from category 2 gets compromised then it doesn't affect the other websites.

---

I wish a lot of websites would realise they can be password-less. Pinterest is a good example. I have never posted anything, they don't have any personal or financial information from me and if and the only reason I registered was because I wanted to search something there once, and they made me register for that. Same goes to Quora and many other websites. I think all those should allow registering without a password but limit the functionality of those accounts.

---

Edit: formatting

discuss

h4waii|8 years ago

IMHO, this is a curious way of thinking. Why put in the work of trying to secure one account, but not others? Wouldn't it be easier to simply secure ALL and not have the mental gymnastics of "how much do I care about this?"

Each account an attacker can gain control of, is more information they can glean and potential leverage points to gaining access to the accounts you do care about.

oneweekwonder|8 years ago

I actually ctrl+f for xkcd[0] to see if someone jumped the gun on posting the cartoon.

Something like that for a base password and then for each website mutate it a bit. Other people in the thread described methods they use.

I also use lastpass(paid personal), keepass+chromepass(work). Where I normally save the base password(and added mutations) yearly to change the base; or save the mutated password as I use it more for convenience.

I do not save certain financial and banking related sites.

And recently actually had a bit of a panic attack as I forgot my master password for a hour or so. Realised I need a fail save if I forget it again. Something like telling a close friend or sticky note to the monitor.

Still deciding, any suggestions would be appreciated?

[0]: https://www.xkcd.com/936