Password expiration

Oh Gawker, you fool! You fell victim to one of the classic blunders - The most famous of which is "never get involved in a land war in Asia" - but only slightly less well-known is this: "Never go against 4chan, when death is on the line"! I chorkled, smugly reassuring myself I was safe from this one.

Then I checked the torrent... there I was! How was this possible? I don't care for Gawker, and I certainly never logged in there. Then I remember. Oh. I once thought I had something terribly important to say on Valleywag, many internet seasons ago - before it was killed and mushed up against the side of the Gawker empire...

Of course, at the time I was smart about it - I used my "standard sign in for useless things" password. Which would be fine, except most of the internet can be classified as a "useless thing" - so it turns out I used that password a lot. Oops.

Solution 1: the quick fix
So this morning I commence my large-scale Seek And Re-password mission: I developed a simple and vaguely-more-crack-proof system and start applying it to every site I can remember... something like: append an easy-to-work-out-in-my-mind cypher based on the service name, and subtract the first letters of the, um, something. I forget. anyway...

Solution 2: the lazy fix
So after 20 or so password updates, I realise... I don't need a system - I can just change the passwords for random uncrackable gibberish! If I ever need to use the site again, I can just do "forgot password" and they'll give me a new one. I think this is the method I'll be using primarily from now on. But.

Solution 3: the most lazy fix (for me)
A BETTER solution for me would be to have an option (settle down, I said "option"!) when I sign up to a stupid novel new web service to automatically "expire" the password after some length of inactivity. If I don't log in for 2 months then I won't mind taking the 10 seconds to reset my password when I come back. I propose that the internet police should enforce this practice for all apps that use a site-specific user/pass mechanism.

Ah well, if nothing else today I learned that "Don't use the same password everywhere" was not just a figure of speech like "Make sure you back up your files".


Update: There's some discussion about this post on Hacker News. I quite like this suggestion from Ogre:

Why don't any sites, as an option, cut out the middleman and just have an "email me a login link"? No need to save a password at all, just a good for a single login link and the usual session tracking.