Andre Robatino:
If you use a password manager, you can use a different strong random
password for each site, and copy and paste it. Fifty characters is
just as easy as 8, and means you don't have to worry about changing
the password again (unless a website like
Socialsecurity.gov forces
you to, and they should eventually stop doing that).
That's all very well as long as you only use one device. When you have
several computers, devices, using other people's equipment, etc.,
password managers soon become their own pain. So people use an on-line
password manager, and create a single-point of failure for multiple
accounts.
Tim:
> Really, what ought to get tightened up is the software accepting
logons.
> There should be a limited number of attempts (3 goes and your out for a
> significant time limit). Any system that lets a cracker hammer away
> with repeated attempts is the thing that is broken.
That works as long as the website isn't hacked.
A different problem. Though perhaps related, it depends on how the site
was hacked. If they let someone peck away at it, it's down to the same
problem.
Sites really need to stop storing your passwords, then need to keep
something that can only be used to confirm correct authentication, and
not be reverse engineerable to discover the password.