undefined | Better HN

0 pointsstepstep11y ago0 comments

I tried to address this in the article:

"If a generated password is ever compromised, you don’t need to memorize a whole new secret key and update all of your passwords. For that service only, just add an incrementing index to your secret key. For example, if your key was bananas, just use bananas2. If you can’t remember which iteration of your secret key you used for a particular service, simply try them all in order."

In particular, you don't have to use the same secret key for all websites. It's okay to slightly modify one if that password is compromised.

0 comments

ansible11y ago

And that then starts to negate the point of this password manager: having to remember just one password.

baruch11y ago

I use a similar tool (pwdhash) and the benefit is not that it's a single password but a single root password. I need only a few changes and very little to remember for most sites and still get a unique password per site.

My bank requires me to change the password every 3 months or so and I only need to change on digit in what I remember and they see a whole new password.

It's a great benefit to me and to overall security.

How secure is it overall? Somewhat more secure than just using a single password for all sites and better trust compared to using a cloud based password storage.

stepstepOP11y ago

You don't have to memorize them, though. If your master key is "bananas" and it didn't work, try "bananas2", "bananas3", etc. But you don't need to remember them all—because they're all essentially the same.

Hopefully this happens infrequently enough that it's a non-issue anyway.

j / k navigate · click thread line to collapse