big fundamental problem when some people use the same password on eevblog as on other sites.
This is a very important observation. People are very bad at remembering passwords that are good enough. So once they get one they like, they use it over and over again. And the more important the purpose is, the more likely it is that an old and bad one will be used. Because it is important that it not be forgotten...
The first counter-action is password change policies. That does not work; because people will adapt by changing "password01" to "password02".
The second counter-action is "
fhAHUo98ee0nUU9pmDPV/n8rMxxKj0l"; complicated password policies. That, in itself, just makes the original situation worse. And, "
correct battery horse staple".
The successful solution must be a hybrid, with multi-factor authentication an important part, because it raises the cost of a compromise to levels only interesting for spear-phishing operations. Trawling, which is what most of us are caught up in, will be completely blocked by multi-factor and a modicum of street smartness.
For all those things where MFA is not an option, an unique password is
required. And since you now will have several hundred accounts (I just counted mine to 220) you need a password manager. And, since you need a password manager, a random password generator is now a sensible thing. Because you can forget the passwords, and therefore make them complex enough to be very expensive to crack.
I use "
pass" and a small shell script to make passwords -- the one above was made by this.
#!/bin/bash
#
# 20 to 40-char password.
#
case `uname` in
"Linux")
line=`shuf -i 1-90 -n 1`
len=`shuf -i 20-40 -n 1`
;;
"Darwin")
line=`jot -r 1 1 90`
len=`jot -r 1 20 40`
;;
"FreeBSD")
line=`jot -r 1 1 90`
len=`jot -r 1 20 40`
;;
esac
dd if=/dev/urandom bs=1024 count=2 2>/dev/null|\
base64 |\
tr -cd '[[:alnum:]].-/_,=' |\
fold -w ${len} -b |\
sed -n -e "${line}p"
#
# EOF
#