It is complete idiocy to use passwords across services. Utter insanity. It is the worst possible practice imaginable, and is never, ever excusable.
It's one thing to argue for improving people's password practices, but please don't pretend that there's no reason for their behavior. The vast majority of people who share passwords between sites experience no repercussions from their choice. And choosing not to create a new password for every site saves them time and potential frustration.
That's the human nature part, to assess the risk of behavior and change it only if future experiences show that the costs associated with that behavior are too high. Since most people don't experience the disadvantages and do experience the benefits this behavior continues.
We can encourage more people to avoid this behavior by explaining the potential impacts and providing accurate estimates of the risk they're taking. We can offer alternatives to password reuse, like using a password manager. But ultimately they are still going to weigh their perception of the risk and benefits to make their own decision.
I'm a software developer, but I'm done trying to remember passwords for every single site.
What do I do?
I just don't use the sites.
I've restricted, and continue to pare down, the sites that I use on the internet.
It's the truth.
I do keep my amazon.com account, so I can order paper and cardboard books the local bookstores don't carry, and read them on the sofa at my house, next to my floor lamp.
there is a few solutions. use a password manager like lastpass or keepass or something like that. it generates passes for you and you don't have to remember them.(bonus: it logs you in automatically if you go to the vault and click login)
use throwaway passwords for one off services and just use the password reset feature when you want to use it.
The vast majority of people who share passwords between sites experience no repercussions from their choice.
More accurately, they have no awareness of the reprecussions from their choice. Yet endlessly on HN we hear stories of mysterious iTunes access, Steam takeovers, even Amazon AWS account compromises. It is no big mystery when this happens given this common, grossly insecure behavior.
But ultimately they are still going to weigh their perception of the risk and benefits to make their own decision.
I absolutely agree, absolutely and completely, but think that the risk portion is hugely underestimated. Among people who should know better there is a tendency to under-estimate what is an enormous, worst-possible-exploit problem. No one ever talks about education. No one wastes time trying to help users enjoy better behavior.
Instead we argue about whether some site operated by an unknown number of people of unknown trustworthiness, on a platform that might have been exploited and owned by hacker groups for years, properly hashed our password after we passed the keys to all services through plaintext. It is insanity.
It's one thing to argue for improving people's password practices, but please don't pretend that there's no reason for their behavior. The vast majority of people who share passwords between sites experience no repercussions from their choice. And choosing not to create a new password for every site saves them time and potential frustration.
That's the human nature part, to assess the risk of behavior and change it only if future experiences show that the costs associated with that behavior are too high. Since most people don't experience the disadvantages and do experience the benefits this behavior continues.
We can encourage more people to avoid this behavior by explaining the potential impacts and providing accurate estimates of the risk they're taking. We can offer alternatives to password reuse, like using a password manager. But ultimately they are still going to weigh their perception of the risk and benefits to make their own decision.