

A Guide to Using Passwords Without Distraction - troyhunt
http://www.filterjoe.com/2011/04/14/passwords-guide-without-distraction/

======
JMill
I've always had an innate fear/discomfort of password managers. First, there's
a definite single point of failure with the master password. And second, if
the password manager fails for some reason, all of the passwords it contains
are locked away.

Password managers are great for some folks. Especially when paired with a USB
security dongle or other secondary authentication. One of the author's other
posts has some good comparison: <http://www.filterjoe.com/2010/05/14/which-
password-manager/>

But overall, I've been using a 'passphrase system' and it has worked
conveniently. Creating a passphrase could be formulaic like:
MyPassphrase4[gmail.com]!

Easy to remember (generally, just look at the URL you're logging into and plug
into your formula) and rather secure by conventional standards.

~~~
FilterJoe
I'm the author of the password management series on FilterJoe. For those who
feel uncomfortable with password managers, a passphrase system can work and
that is included in the series:

[http://www.filterjoe.com/2010/12/06/a-base-phrase-
approach-t...](http://www.filterjoe.com/2010/12/06/a-base-phrase-approach-to-
password-management/)

However, I suspect that very few people are willing and/or able to do this.
Look at what people actually do, and how it fails:
[http://www.filterjoe.com/2010/05/14/the-usual-way-to-
manage-...](http://www.filterjoe.com/2010/05/14/the-usual-way-to-manage-
passwords/). About half the population uses the same 2 or 3 passwords on all
sites. A third use the same password on every site. This is according to a
Sophos study:
([http://www.thetechherald.com/article.php/200911/3184/Interne...](http://www.thetechherald.com/article.php/200911/3184/Internet-
users-still-using-same-password-for-all-Web-sites))

So at least 80% of the population has terrible password security. Most of them
will never change unless they are offered a very simple and convenient
alternative.

Password Managers like lastpass, 1Password, RoboForm, and KeePass are
currently the easiest way to manage passwords in a relatively secure manner.

As you say, there is the theoretical single point of failure. But in all of my
research, I have not been able to find a single instance of a password
database (from one of these 4 market share leaders) being compromised when
protected by a strong master password. On the other hand, password theft
occurs millions of times per year. As you likely know, those who reuse
passwords often then get more serious accounts hacked when a password for an
inconsequential account gets captured.

I would love to see the tech community rally around this simple solution for
the masses, just like they did for virus checkers on Windows systems a decade
ago.

