It's fine that you found that to be the singular "Point" of the
article. Discuss that if you like. But no, sorry, articles do not come
stamped with "This is the point from which you will not diverge". My
remarks are both relevant and valid and I do not wish you or anyone
else to tell me what you think the "Point" of the article is. These
comments are made in good faith (please don't bandy specious
accusations of trolling) to address what I and many others consider a
widespread misunderstanding around password security.
I agreed with you, but I kept quiet because I am not a sensible person and I didn't want to make you look bad. But yes, my immediate reaction to the article was "just don't sign up for things, have a small number of passwords for a small number of vital things, no problem."
Somewhere I have a page in a notebook with 20 or so passwords written down (in the basic cipher I've used since I was 12). If this was stolen, after some effort, the thief would be able to access things like ... a forgotten Github account, my abandoned efforts to learn from Duolingo, and a Reddit account I haven't used for two years. I would be mildly irritated. I am happy with this arrangement.
> my immediate reaction to the article was "just don't sign up for
things, have a small number of passwords for a small number of vital
things, no problem."
I recently interviewed a bunch of people in the age range of 30 to 70
on "personal cybersecurity". A surprisingly large number, no, in fact
the overwhelming majority though the same way as you... once you get
to the limits of your memory with passwords it's dangerous and
counterproductive to reach beyond that and it's time to cull and
prioritise according to "attic theory" :)
Unfortunately many online services don't make it easy to delete
accounts, nor do they time out after a sensible period like one year.
> Somewhere I have a page in a notebook with 20 or so passwords
written down (in the basic cipher I've used since I was 12)
Before anybody tells you that "using a basic cipher" is weird or
eccentric, maybe half of the over 50s I spoke to, all regular folks,
told me they use the same paper notebook kept in a safe place at home
plus some obfuscation. Also about "two dozen" (24) accounts seems the
average pool.
Any more than that and I think the system is working backwards,
placing an undue security onus onto the person and not the service.
Passkeys have their use (I keep some super important pass phrase
protected ssh keys somewhere physically safe). And some people need
to maintain a very large collection of access tokens, like if you're a
system administrator and that's your job.
But I think creating a tower of cards that enables people to maintain
over 300 accounts for casual, personal use, is a disservice and
actually encourages bad security practices.
It's fine that you found that to be the singular "Point" of the article. Discuss that if you like. But no, sorry, articles do not come stamped with "This is the point from which you will not diverge". My remarks are both relevant and valid and I do not wish you or anyone else to tell me what you think the "Point" of the article is. These comments are made in good faith (please don't bandy specious accusations of trolling) to address what I and many others consider a widespread misunderstanding around password security.