I agreed with you, but I kept quiet because I am not a sensible person and I didn't want to make you look bad. But yes, my immediate reaction to the article was "just don't sign up for things, have a small number of passwords for a small number of vital things, no problem."
Somewhere I have a page in a notebook with 20 or so passwords written down (in the basic cipher I've used since I was 12). If this was stolen, after some effort, the thief would be able to access things like ... a forgotten Github account, my abandoned efforts to learn from Duolingo, and a Reddit account I haven't used for two years. I would be mildly irritated. I am happy with this arrangement.
> my immediate reaction to the article was "just don't sign up for
things, have a small number of passwords for a small number of vital
things, no problem."
I recently interviewed a bunch of people in the age range of 30 to 70
on "personal cybersecurity". A surprisingly large number, no, in fact
the overwhelming majority though the same way as you... once you get
to the limits of your memory with passwords it's dangerous and
counterproductive to reach beyond that and it's time to cull and
prioritise according to "attic theory" :)
Unfortunately many online services don't make it easy to delete
accounts, nor do they time out after a sensible period like one year.
> Somewhere I have a page in a notebook with 20 or so passwords
written down (in the basic cipher I've used since I was 12)
Before anybody tells you that "using a basic cipher" is weird or
eccentric, maybe half of the over 50s I spoke to, all regular folks,
told me they use the same paper notebook kept in a safe place at home
plus some obfuscation. Also about "two dozen" (24) accounts seems the
average pool.
Any more than that and I think the system is working backwards,
placing an undue security onus onto the person and not the service.
Passkeys have their use (I keep some super important pass phrase
protected ssh keys somewhere physically safe). And some people need
to maintain a very large collection of access tokens, like if you're a
system administrator and that's your job.
But I think creating a tower of cards that enables people to maintain
over 300 accounts for casual, personal use, is a disservice and
actually encourages bad security practices.
Somewhere I have a page in a notebook with 20 or so passwords written down (in the basic cipher I've used since I was 12). If this was stolen, after some effort, the thief would be able to access things like ... a forgotten Github account, my abandoned efforts to learn from Duolingo, and a Reddit account I haven't used for two years. I would be mildly irritated. I am happy with this arrangement.