That's the kind of worst-case scenario I can live with.
Suddenly, there's somebody out there in the world who can not only post comments to Engadget as me, but can now upvote stories on Reddit as though they were me.
Honestly, you could give out your password to 90% of the sites for which you have them and it wouldn't affect your life at all.
They can also message your friends as if they were you. Scams and social engineering attacks do and have operated this way. If you or your friends are high-value targets, they or their interests can be seriously hurt by this sort of thing.
Which of the sites that you use your throwaway password for have friends and messaging?
Personally, I have exactly one site from which I tolerate non-email messages from friends. That's Facebook, and it's in the same category as email, ecommerce, etc. that gets a real password.
Uh... the specific examples given were comments on engaget and reddit. You think people don't talk to their friends on those sites? Yours is precisely the kind of thinking that leads people to fall for social engineering attacks. Clearly you're too smart for it to happen, right?
Correct. I don't think people talk to their friends on engadget or reddit. Why would anybody do that?
You have email, telephones and facebook for talking to people. Why would you expect somebody you know to sift through threads on reddit to find out if you've said something to them?
Can you honestly say that you've done that? I never have, so it doesn't bother me whether you can guess my password to one of those sites. And if I ever ask to you wire some money to me in a comment on an engadget post, feel free to give me a call to confirm.
This is why I always roll my eyes when people analyze passwords that have been exposed from consumer sites. Is it really meaningful that XYZ news/gaming site has 10% usage of the word 'password' as a password?
Yeah, my rule is to give a unique password to any site with my credit card or personal info, email addresses, and social networks that have my contacts (I've seen Facebook used in a scam before where the scammers pretend to be stuck in a foreign country and beg for cash from friends). Everyone else can just use the same password. If that means my reddit karma is in danger when YC gets cracked, so be it.
Is it not a pain when someone starts spamming as you on Reddit and Engadget? You have either go back through a third of the sites you've ever signed up for and change them, or just write them off. I think the latter is somewhat irresponsible.
To be clear, the worst-case scenario I'm thinking of isn't when a single person has your email/password, but when someone has posted it to pastebin and everyone has it.
Suddenly, there's somebody out there in the world who can not only post comments to Engadget as me, but can now upvote stories on Reddit as though they were me.
Honestly, you could give out your password to 90% of the sites for which you have them and it wouldn't affect your life at all.