"Now, one fine day somecrappysite.com gets hacked. The next time you visit, the web page has malicious code that sends your password in plaintext to someone. There go your Paypal funds, your Facebook account, your online life."<p>What an optimist! somecrappysite.com was probably storing your password in plaintext to begin with and it probably got pulled from the database long before you logged in again.<p>Having said that, this is an absolutely terrible solution for real-world usage because it inhibits people who are already security savvy from using better solutions like Stanford pwdhash or similar methods.
I agree this is a major issue, and in fact was specifically covered in an earlier xkcd (<a href="http://xkcd.com/792/" rel="nofollow">http://xkcd.com/792/</a>) than the one cited (<a href="http://xkcd.com/936/" rel="nofollow">http://xkcd.com/936/</a>).<p>It might be a good idea to enforce non-password reuse, but the proposed solutions seem fairly aggravating. In particular the 'webmaster' solution of requiring inclusion of a fixed string is extremely annoying (oops, sorry users who use cryptographically derived passwords (<a href="http://passwordmaker.org/)" rel="nofollow">http://passwordmaker.org/)</a>), and doesn't solve the problem since someone with your "main" password can probably guess the "derived" password (e.g., the main password with the mandatory substring appended to the end).<p>My solution as a user is to just use a password manager. I use clipperz(<a href="http://clipperz.com/" rel="nofollow">http://clipperz.com/</a>), but there's plenty others out there.<p>* Edited to remove markdown-style links. Forgot it wasn't supported here.
Dear god, please let me have the freedom to determine what degree of security I need on a site.<p>If you restrict my password options in anyway I will use your site less.
I have an algorithm for creating unique passwords.<p>Here is the result for HackerNews:
kcahu3602122@#)*<p>here for Facebook:
ecafu3602122@#)^<p>(I can create them practically in my sleep. The algorithm is personal and easy)<p>To determine the algorithm, one would need plain text from two sites and be able to match them. Now, everytime a site limits my freedom to creating the password I want (assuming I can't provide my own security - by demanding a capital, a number, a this a that) I default to the same password. If they get one site with my simple pass, they get all the sites on which I use it.<p>When you put constraints on my password creation, you make my online life MORE insecure, not less.<p>Free my password. Don't tell me what I can and can't do. Offer a full page of help describing to those who don't care what they should do. But don't force them.
I recommend that everyone who read this contemplates this: <a href="http://news.ycombinator.com/item?id=3889435" rel="nofollow">http://news.ycombinator.com/item?id=3889435</a> (AKA the voice of reason)
I am the only person I know who uses a unique, memorable and strong password for every site I use. I store all of them in my head.<p>I have a base password and I add the first several characters of the site to the middle.<p>For example:<p>Facebook - sdfb231a2<p>Hacker News - sdyc231a2<p>Yahoo - sdya231a2<p>For strong passwords I can add a suffix to further strengthen the password.<p>PayPal - sdpa231a2a4<p>I use the same suffix for all "strong" passwords. If a site requires a capital letter I always capitalize the first letter.<p>I've gone to create an account with a site, been told I already have an account and I get the password in 1 guess because I'm so consistent with creating them.<p>I don't know why everyone doesn't do this.
This sparked an idea for me that I think I'll implement going forward - if you sign up with your email address and password, my server will try to login to your email account with those credentials, and if successful, say something like "hey, did you see that email [snippet of first email in inbox]". I feel this might encourage the user to use a different password.
Big ol' hole here: You can't identify web apps by domain. Are you going to tell me I can't use "password123" as my password on store.foo.com and secure.foo.com (when they both point to the same database and the same user record)? Are you going to assume that passwords may be shared across all TLDs? (so I can re-use passwords on multiple separate apps on the same TLD)<p>It's a nice idea, but in practice, it would drive you <i>insane</i> because the web is not a nice uniform entity where everyone plays by a pre-arranged set of rules.<p>Just use LastPass and let it autogenerate passwords for you. It's stupid easy, and super effective. LastPass will even tell you how many sites you're using the same passwords on! ( <a href="https://lastpass.com/index.php?securitychallenge=1&fromwebsite=1&lpnorefresh=1" rel="nofollow">https://lastpass.com/index.php?securitychallenge=1&fromw...</a> )
So instead of having websites that require "upper, lower, numeric and special" characters, we'll have sites that require "randomly generated word from two years ago that we hope you remember". It's just another constraint that will never be standard and will be near impossible to remember.
The desire to enforce unique password across sites is understood. You might as well advocate all browsers to implement a builtin password manager a la LastPass and a protocol to auto-gen a password (by the site to enforce cross-site uniqueness) to be managed by the password manager. Imagine zero password fiddling signups!<p>Force a per site password policy on end users other than length is super annoying. The worst kind are those who restrict you to use only alpha-numeric passwords.<p>Down with manual password policies!
Because browsers already optionally store passwords, adding the "password same" warning would be quite a welcome feature (or add-on), for <i>me</i> anyways (in mobile browsers too).<p>I advocate the use of password managers, but they don't offer "password same" warnings either.<p>My point: it's a best-practice feature <i>option</i> which should be implemented widely. People can turn it off if they want.
I'm no expert, but why does this have to be done on the password level? Why can't we just assign usernames to our own sites, and force people to login with those? I know that's incredibly annoying for a user, but it would at least guarantee the user credentials for your site are unique from any other site.
After Gawker was hacked (and my account with it), I have created a website that tells average folks how to solve these issues: <a href="http://www.passmix.com/" rel="nofollow">http://www.passmix.com/</a>. It's not a perfect solution, but it's way better than the same password for different websites.
I cry everytime I read these threads on HN. I've never seen such stubborness than people desperately convinced that they need to be able to memorize their passwords, or that password managers are the devil.<p>I'll say it again, just use a password manager. It generates random, complex passwords. It memorizes them for you. It pre-populates forms. They are locally encrypted and can be synced by themselves or with other tools. They can even be protected with two factor auth.<p>My <i>mother</i> uses LastPass. So can you.