Ask HN: Do you use different passwords on different sites?

5 points by Namrog84 ↗ HN
I have gotten quite a few 'compromised' emails from various sources over the recent years.

Saying: "Ooops, sorry we were compromised, be on the look out for phishing emails. If you use the same password on other sites, you should change them" among the other standard stuff.

I feel like I get one of these emails about once every week or two.

At this point, I feel like these emails are almost pointless to me. They rarely say much details. I started quite a long time ago to add variation on a per site basis to my passwords.

Do most HN users use same password, a small variant, a truly unique password(password keeper?) on a per site basis?

Thoughts? Recommendations? Is it all just hopeless and pointless? Is it worth the hassle of different passwords? Do you maintain a few passwords and 'update them all' whenever you get one of these emails?

9 comments

[ 2.9 ms ] story [ 41.5 ms ] thread
Yes.
I use a password manager (1Password) to generate a strong, unique, password for every site.
I use mSecure with a different, randomly-generated password for each site/service I use.
Yes. I use a 22 character password composed of mixed-case alphanumerics and symbols. I generate a new password for every single website I have an account with, no matter how onerous the process or insignificant the account.

Later this year I am considering transitioning every single account to its own email address on my domain as well. But I recognize that's a tad paranoid. Perhaps only the most valuable accounts.

I recommend 1Password. I don't think there has ever been a major security breach with 1Password, and when I reported a minor cryptographic flaw they were very quick to respond to me and plan a fix for it, despite the threat model being relatively small.

I also favor this approach and 1Password sure makes it, if not easy, then certainly tolerable.

The only thing I'd add is that there are some websites with weird length and character rules, so sometimes you must tweak your password generator for smaller lengths (you won't be able to use 22-character passwords everywhere) and fewer "special characters" (non-alpha-numeric in this case).

Do you work in a security related environment or just enthusiastic about privacy and security?

I like 1password. Do I keep it open all day every time I want to grab something? What about phone or not at home? Accessible online anywhere? Just curious for how I should use it.

I use a password manager and generate 64 random number/character combinations for each account. When applicable, I also enable 2FA.

With accounts that are a 1-off and I don't really care about, I don't go through the trouble and just use a short password I can remember.

Something interesting I have found is that some sites will allow me to use a 64 character password when I create the account, but error out and won't allow me to login. If I shorten the password, it works fine.