So:

• I keep all my passwords in my password manager (Bitwarden)
• All my 2FA codes are generated by AndOTP on my phone.
• My 2FA backup codes are also in Bitwarden, which I think is a bad idea, because that defeats the purpose of 2FA. So where should I put those?
• I have my Bitwarden 2FA backup code in my wallet and in a safe at my house. Is that a good idea for the other backup codes?
• Is there anything I'm forgetting here?

I feel like it's impossible to remember passwords that are long, random, and unique for every service. I have too many accounts.

On the other hand, I don't like the idea of giving up control of my passwords to a password manager and using the ones it generates and stores. It feels weird that I wouldn't "know" my passwords.

Is this a hangup I should just get past? What do I do if I need to login somewhere but cannot access my password manager?

This will probably be controversial, but I disagree with the current password policy. Checking against a list of known broken passwords sounds like a good idea, but that list is only ever going to get bigger. The human factor has to be taken into account. People are going to reuse passwords. So whenever their reused password gets hacked from a less secure site, it's going to add to that list.

Ideally, a password would be unique. Ideally, users should maybe ever use a password manager that generates garbage as a password that no one could hack. An ideal world is different from reality. Specific requirements are going to lead to people needing to write things down. In the past, that was on paper, like Wargames. Now, it's going to lead to people pasting their username and login into text documents for easy reference. That's probably what i'm going to have to do. Was my previous method of reusing passwords safe? No. Will my new method of remembering passwords be safe? Probably not either.

I'm not entirely sure what all the account security is about, either. For my bank, sure, a complex password. I have a lot to lose there. For an account on a glorified message board? There's better ways to establish legitimacy. 4chan, of all places, dealt with this (nod to 2chan), by having users enter a password after their username that got encoded and displayed as part of their username to verify that they were, in fact, the same user.

So the topic for discussion would be, what's the endgame here? Where is the line drawn between usability and security? I may well be on the wrong side of this, but I think it's worth discussing.

Edit: I think there may be some good reasons, evidenced in this reply. I think it was a good discussion none the less, since it wasn't obvious to me and perhaps not to other people.

Edit 2: I'm going to hop off, but I think there's been some good discussion about the matter. As I said in the original post "I may well be on the wrong side of this". I may well be, but I hope I have addressed people well in the comments. Some of my comments may be "worst case" or "devil's advocate" though. I understand the reason for security, as evidenced above, but i'm unsure about the means.

My password is shorter than 8 characters. When I attempt to log in, I get a validation error telling me so.

Luckily, I'm signed in already on this browser. However, when I go to the change password page and attempt to make my password longer, I get a validation error telling me my old password is shorter than 8 characters, and it prevents submitting the form.

I was reading over tildes' privacy policy and saw that passwords are stored hashed, but are they salted as well?

https://defaultnamehere.tumblr.com/post/163734466355/operation-luigi-how-i-hacked-my-friend-without#fnref:salted

not that tildes is big enough atm to have big public database breaches, but in the future it's a good idea to store passwords with a secure salting system, especially to help users that might have common passwords like "Diane" in the Tumblr post.

I currently use Lastpass, and while I'm overall happy with what I have right now, some issues (like slow firefox support, android functionality that only works arbitrarily) makes me want to look at other solutions.

I have heard about other popuar managers like Keepass and Bitwarden, but haven't made the plunge yet. So I thought I could kickstart a discussion on this topic.

Which password manager do you use or have you used? Why do you recommend it (or not)?

Hi there. The account recovery page mentions that password resets are performed by emailing a specific Tildes address from your own specified recovery address. But as far as I can see, that Tildes reset address that's supposed to be sent to.. is unlisted anywhere on the website. I could be mistaken, of course, but in any case it's not easily visible. Also unlisted is what string should be placed in the Subject field, alongside any body content this sent email should contain.

As to the reason for the inquiry:

So when I registered for Tildes, I generated a password and stored it in my KeePass database like a responsible person. Except... like an idiot, I restarted my computer at some point without remembering to actually save my KP database (I promise this is only like the second time this has happened in 2 years or so), so I'm in the curious position of still being logged in but not actually being able to change my password. Naturally, I explored account recovery options, and registered my email address with the recovery page, but as I described above, I can't seem to find the address I'm supposed to send an email to in order to reset my password as part of the recovery process.

I just joined the site less than an hour ago and when I registered I tried to use my normal password that I use on a lot of sites (I know, I know) and it wouldn't let me register because the password has shown up in a data breach. I double checked on https://haveibeenpwned.com/ and sure enough, my password was compromised at some point. So now I know I need to go back and change my password on a hell of a lot of sites.

Anyway, thank you. I've never seen that feature on a site before and it saved my ass before an account of mine was really compromised.

Hey guys -- I wrote a blog that I'd love some feedback on. I'm an identity product manager and have been trying to train my users to use passphrases. Do these read friendly enough? I want it to be readable by all users, but my target audience is other people in product and software.

https://medium.com/@toritxtornado/training-your-users-to-use-passphrases-2a42fd69e141

I don't need to reset my password, and I really appreciate the way that it is done to maximize anonymity. However, I think there is a bit of a problem with how it is done in terms of users getting locked out.

If you're locked out, as far as I can tell, there is no way to view the email hint associated with your account. It seems a bit counter intuitive to me that in order to see the hint for how to regain access to your account, you have to already have that access! I also think that it won't work in the case that someone has been away for a few months and has forgotten their password. I'm not sure what a good way of displaying the hint would be, however, since if it is done by username anyone who has seen your posts can look at your password hint.

Hopefully with a bit of discussion we can cook something up that can solve this catch 22!