Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Well I have my 'who cares' password, my 'like this site' password and my 'involves money' password(s). Strangely, my HN password isn't the same one I use for my bank account.


I use my bank account password for everything. They'll never predict that. These criminals are sneaky, you've got to use reverse psychology if you want to truly be safe.

On a more serious note, only one of the two websites compared in these articles is a multi-million dollar business. Also, I'd say HN users are far more likely to use throw away passwords. The "enterprise" clients of 37signals probably subscribe to the philosophy in my satire above.

One final note. I don't think you can log into this site over SSL, so a discussion about password security for HN accounts is just silly. What's the point in worrying about how secure the vault is if the front door is unlocked.


I have a unique password for each and every site I'm registered at. Outsourcing the safekeeping of your password to everyone but yourself is a bad mistake.


Exactly my strategy, too. Anyone else do this?


No. I simply have a different password for every site. I use a tool called 1passwd to generate and remember all those passwords for me.

That tool backs up its (encrypted) password db to my Dropbox folder. It also backs up to an iPhone app. So I think the chances of losing all my passwords are pretty slim. And, now, I don't care whether one site loses my password, since all my passwords are unique.


what's your Dropbox password?


That's stored in my iPhone backup.

Also, my dropbox is set up on my mac mini too.

In order to lose my passwords, I need to lose, at the same time:

1) my mac mini

2) my macbook pro

3) my iphone

Even then I would be able to recover things somehow, because my email goes through a third-party gateway, and I know the guy who runs it, so if I really do lose everything, I can contact him and ask him to reset my password on that gateway, and then log in to my email via that gateway.

I think the chances of losing my passwords are fairly slim.


No, I have one slightly-convoluted-but-simple-enough-to-keep-in-my-head method of generating a password for a given site based on information about myself and the site along with some transformations.

For important passwords that I might forget, I apply another easily rememberable transformation, and write them down.


Yes, but I've basically only have one password that shrinks depending on how sensitive the information is.

Throw-away password: "ex@mpl3"

Email password: "ex@mpl3p@55"

Finance password: "ex@mpl3p@55w0rd!"


Historically passwords have often been truncated at 8 bytes, so that if the first 8 characters are equal the password is equivalent. This might bite you if you always add on to the end of a long base password like this. Perhaps a variable prefix instead of a suffix?


I hope everyone does this.


But which one do you use for email? where you can send resets for everything except the bank (I assume).




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: