How do you handle your passwords?

How do you handle your passwords?
I been using one password for literally everything for a long time.
What stops sites from trying your password on other sites?

Other urls found in this thread:

qtpass.org/
twitter.com/SFWRedditVideos

Sorta needed a thread like this too. I read the Sup Forums wiki section on password managers a few days ago, and it said they will generate passwords for you that are the max characters allowed for any service. So all you have to do is memorize the master key to access the respective password for anything you use. Seems neat but at the moment I'm still using nonsense sentences as per an xkdc comic I once saw.

As well there is another xkcd comic that very explicitly tels of some hypothetical dude's master plan of getting into a chunk of the population's private accounts from their sharing passwords across services. I wouldn't put it past people.

>What stops sites from trying your password on other sites?
Now you've got the idea. That's why it's so serious when a major company gets their user's passwords hacked. Because those users often use the same passwords across many different sites and services, and the hacker can use/sell that information to extend their reach.

I just got on the keepass train very recently and regret not doing this 15 years ago.

Your password is probably already on a dictionary. This just makes stealing all of your information easy as pie.

My passwords all come from a formula but part of the formula is the name of the website, so it's easy for me to remember, but every website has its own password, so even if one was comprised, none of the other ones world be, and I don't need to rely on any sort of managers or anything.

I saw someone in an sqt once ask if they should go for like Keypass or Keypass X. What's that about?

KeePassX

>What stops sites from trying your password on other sites?
Only their own restraint.

For a while I was using one 'base' password with a short unique modification for each site, but I realized how retarded it was for bank sites and the like so I began to use Keep Ass.

Deprecated. Use KeePassXC instead.

by memorizing them

I enabled 2FA wherever possible. Since most services don't support biometrics yet, that's the most I can do which isn't an inconvenience.

qtpass.org/

Can a human guess what other sites' passwords are by seeing one...?

I take the first character of each word of a proverb I like to create a password.

>I wouldn't put it past people.
This isn't hypothetical user, it's a thing that actually happens relatively commonly.
Some big company has retarded security practices, stores user passwords unsalted or with reversible encryption or even in plaintext.
They get hacked and their database is released.
Then suddenly you have tons of hackers scrabbling to find out which of these thousands of people whose passwords just leaked are the type of person to re-use passwords between their Playstation Network account and their bank or email.

Yes. This scheme protects user from wide-net impersonal password leaks but doesn't do anything if, say, a jealous girlfriend watches over his shoulder to find his facebook password and then later after a nasty breakup decides she can probably guess his bank pw too.

>This scheme protects user from wide-net impersonal password leaks

Not either of those guys but what does this mean? If a human is able to extrapolate possible other passwords from seeing one, I don't understand how his other accounts are safe in this context.

Unless you just mean like the password is out of context added to a dictionary for dictionary attacks. Because it sounds like you're saying if a human is behind the attack, other accounts are compromised. But this seems to contradict that.

A single, simple, easily-cracked (if brute force were available) password for throw-away shit (including video game accounts).

A handful of secure-ish patterns for work computer and such.

A single extremely secure but memorized password for my email.

Password manager for everything else.

The fact that the website only sees the hash of your password

Humans do not look at passwords one-by-one, unless they have some particular tie to you or you are a very important person.

They get a database with thousands or millions of password from a leak (e.g. from Sony), and they run an automated program to check to see if any of those users re-used their password on other sites.

They should. Doesn't mean they do. AFAIK there is no standard protocol that automatically does this for you using a third party as trust and informing you when it's not being implemented (SSL only protects you two from middlemen, it doesn't have any layers of protection between the client and the server). And if there is it's not all that commonly used. You just have to rely on or manually inspect the client-side javascript to make sure they do this.