But what happens if one of those sites lose their user database? Your other accounts would be compromised and you would have to change your passwords in every site you registered with the same password.
That's the kind of worst-case scenario I can live with.
Suddenly, there's somebody out there in the world who can not only post comments to Engadget as me, but can now upvote stories on Reddit as though they were me.
Honestly, you could give out your password to 90% of the sites for which you have them and it wouldn't affect your life at all.
They can also message your friends as if they were you. Scams and social engineering attacks do and have operated this way. If you or your friends are high-value targets, they or their interests can be seriously hurt by this sort of thing.
Which of the sites that you use your throwaway password for have friends and messaging?
Personally, I have exactly one site from which I tolerate non-email messages from friends. That's Facebook, and it's in the same category as email, ecommerce, etc. that gets a real password.
Uh... the specific examples given were comments on engaget and reddit. You think people don't talk to their friends on those sites? Yours is precisely the kind of thinking that leads people to fall for social engineering attacks. Clearly you're too smart for it to happen, right?
Correct. I don't think people talk to their friends on engadget or reddit. Why would anybody do that?
You have email, telephones and facebook for talking to people. Why would you expect somebody you know to sift through threads on reddit to find out if you've said something to them?
Can you honestly say that you've done that? I never have, so it doesn't bother me whether you can guess my password to one of those sites. And if I ever ask to you wire some money to me in a comment on an engadget post, feel free to give me a call to confirm.
This is why I always roll my eyes when people analyze passwords that have been exposed from consumer sites. Is it really meaningful that XYZ news/gaming site has 10% usage of the word 'password' as a password?
Yeah, my rule is to give a unique password to any site with my credit card or personal info, email addresses, and social networks that have my contacts (I've seen Facebook used in a scam before where the scammers pretend to be stuck in a foreign country and beg for cash from friends). Everyone else can just use the same password. If that means my reddit karma is in danger when YC gets cracked, so be it.
Is it not a pain when someone starts spamming as you on Reddit and Engadget? You have either go back through a third of the sites you've ever signed up for and change them, or just write them off. I think the latter is somewhat irresponsible.
To be clear, the worst-case scenario I'm thinking of isn't when a single person has your email/password, but when someone has posted it to pastebin and everyone has it.
Yep, I use the exact same strategy as VonLipwig and recognize that many of my accounts could be compromised. However, without having a central email account compromised, the ability of attackers to find other sites or extract meaningful value from them is quite limited, IMO. In fact, I'm not sure that there is anything meaningful to be extracted outside of email / dropbox / bank accounts / lastpass / github.
And it's not always clear at the beginning which sites are going to become those "more important" ones...
Way back when, in the days when I used a single "low grade" password for signing up and trying out sites, I registered on perlmonks.org, which I didn't ever end up becoming a regular contributor and pretty much forgot about. I also signed up for this new fangled "micro blogging" service 'cause I could use it to send free text messages to my friends overseas. It was called Twitter. 3 years later, I've got a quite vibrant social life going on in Twitter, and thanks to the browsers remembering passwords for me, I'd forgotten it was using my "low grade password" and I never upgraded it when the importance of that login increased. Until the perlmonks database (with its cleartext password storage) got exposed, and 5 or 6 hours later I started getting questions from friends about why I was spamming them on Twitter with Acai berry spam...
Now 1Password generates and stores all passwords for me. Its data is synced (via Dropbox) to my phone/sparephone/ipad/laptop/work machine/home machine/media center. I'm happy enough to not be able to log into any website whos password I've not bothered to remember when I don't have access to _any_ of those devices - I've got all 3 banking passwords in my head, two email passwords, a few important ssh key passphrases, and a few others (like my Apple ID password, since there's several places 1Password won't fill it in with CommandBackSlash, so I find myself typing it often enough to remember it), everything else I rely on my (multiply synced/backedup) 1Password database for.
Its working out _really_ well so far (I've been using it ~18 months, probably managed to transition to all random passwords about 12 months back.)
You care about your identity and your tweets on Twitter. So, this is a sensitive account. It wasn't clear earlier whether you cared about your perlmonks.org identity so much. So, assuming the worst case scenario, this should have been considered a sensitive account as well.
This means that ideally you should have chosen two different passwords for both these accounts.
For some sites like reddit, HN, etc. one may know very well in advance that they don't care about their identity and they would be happy to create a new account when they lose one. I think these are the only cases where password reuse is justified.
In my case, if the site becomes important to me, I change my password for that site. Except for certain sites, I don't make use of the browser remembering passwords feature.
My most secure passwords are for Twitter and Facebook. I don't really use either anymore but I don't want to delete them as they contain some history.
The problem is that both position themselves as one login for tonnes of services. I do use Twitter to auth into services from time to time. This is why a strong password is important for these. An attacker could get into your account then cause some serious damage to your reputation both amongst your friends and to the outside world by authenticating themselves into one of the million services and acting like a prat.
I know that one of 3 passwords is compromised. All of my friends know it. Even some of my friends of friends know it. So far I haven't noticed any of my accounts being abused. If anything I have noticed friends using it as their memorable password :)
I agree, there is cause for some to be concerned about a "reputation damaging" attack. For most of us, however, this would be an annoyance and mere blip in our social presence. Also, what I mentioned is that there is not much incentive for anyone else to spend a lot of time and effort damaging my reputation. What would they get out of it, especially if the perpetrator remained anonymous?
This is the point I am making. These sites do not matter. I have no attachment to them. I have no need to keep them secure.
If one site lost its database. Lets say I have 60 accounts on various sites. Based on my 3 passwords 20 or so would probably be compromised. Apart from maybe my name and email address these sites have almost no other personal information. What is the worst that could happen? The account gets banned? A phishing attempt for a site I don't care about?
I don't need to change the password. If an account gets banned or the password changes I will just make another account. I would rather do this than not know passwords and rely on some third party service to make and store secure ones for me.
