

Complex Passwords Aren’t That Much Safer - ASquare
http://www.wired.com/2014/08/passwords_microsoft/

======
robinhoodexe
I'm using pass[1] for storing all my passwords using GPG. All my passwords are
generated randomly to include capitalized letters, numbers and symbols at a
lenght of 32.

Example: vKP5M['SJo%Y~4r~`Fu$^39W_5:N^[R$

Furthermore, the password store is syntronized to my raspberry pi (acting as a
home server, among many things) using git and a private bitbucket repo so I
can easily SSH into it from iOS in order to get a password.

I find this way of managing my passwords both highly secure and pretty
convinient, given a terminal window is always within my reach.

[1][http://www.zx2c4.com/projects/password-
store/](http://www.zx2c4.com/projects/password-store/)

~~~
drcongo
Only as secure as Bitbucket though?

~~~
robinhoodexe
On Bitbucket I only store the encrypted passwords, so unless they tinker with
whatever is on their servers, I'm good. Making a simple script to check the
hashes of the files would be rather simple as well.

In theory I could use dropbox instead of Bitbucket.

------
benologist
It would be so neat if password management software would rotate passwords for
you. 1Password is 1/2 way there issuing alerts but when you have 50 - 100
alerts it's a long and boring chore changing them even once.

~~~
level
Disclaimer: I work for Hitachi-ID, although my comment is my own and I am not
speaking on behalf of them.

I work for a company that does this, [Hitachi-ID]([http://hitachi-
id.com/](http://hitachi-id.com/)), on a corporate level. We have a piece of
software called Password Manager that captures end-user password changes and
synchronizes it between all their different accounts. Alternatively, we have
another tool called Privileged Access Manager that randomizes all your server
passwords on a schedule, and allows people to check them out to allow for
better auditing and security (through manual checkout authorization).

The problem with doing this on such a large scale is that everyone has a
different way to do password resets. We integrate with a zillion different
target systems to perform password resets, but those are primarily corporate
applications. Doing this for websites would be near impossible because there
are so many different ways to do password resets and many are "home rolled",
so you'd have to find a way to reliably capture and perform those password
resets, which isn't trivial.

The web has so much freedom, but it makes stuff like password security harder
because that much freedom exists.

