

Ask HN: How to deal with likely future-compromise of your passwords? - peteretep

I am coming to the opinion that I should assume any password I give a webservice will make its way in to the hands of a third party in the future.<p>Given that, in a perfect world, I would memorize completely random and strong passwords for each web service. I consider that a bit of a non-starter (am I wrong?).<p>Password managers like 1Password seem to be an option, but if both the key file and the pin for it are compromised (or lost) you're extra screwed.<p>I'm looking in to remembering two random ten digit strings, and using a mental algorithm to combine them based on service name, but that'll require some thought. That said, this is the solution I'm leaning towards.<p>Any better solutions that you <i>ACTUALLY</i> use in the real world?
======
JoachimSchipper
Password managers (or a GPG-encrypted file) work just fine. Yes, you're in
trouble if you forget the password, so don't do that. (If you don't have
regular backups and worry about forgetting the password, fix the backups issue
first - drives die more often than you'll forget a password.)

------
VuongN
One thing is for sure, don't use the same password for all your important
sites. To make them easier to understand, have a system of differentiating
from 1 site to another. As always, I try to: 1) numbers and letters 2) not a
real dictionary word 3) Mix of lower and uppercase

My real paranoia is still: "what if this/that website doesn't encrypt or hash
my password?"

------
wisty
I forget passwords all the time. If my 1Password dies, I'll just recover all
my accounts through email, the way I did it before 1Password. My email
password is memorized, my 1Password password is memorized, and my bank
passwords are memorized. Everything else can be easily recovered.

------
pewpew
instead of remembering passwords, remember usernames. That way if one account
is hacked, they won't know the password can be used in some other service...

------
harrigan
A password manager with multifactor authentication?

