Depends on what constitutes a "good password manager". I would say that for this to be true, I'd need a "good password manager" that was easily and transparently accessible on any platform that can access the internet, without installing anything, and without exposing my password to others. Otherwise, I can think of plenty of reasons why I'd want to be able to remember my passwords.

Just for example, let's say I want to log into my Netflix account on my friend's Roku box so that we can watch a movie. If I don't have any other devices handy, how do I get my password from my password manager?

Yeah, I try to make this point all the time. I run into IT people and companies whose idea of a "strong password" is something like: have 8 characters, one capital letter, one number, and one symbol/punctuation-mark, and rotated every few months without repeating for the past 5 passwords.

You know what people do? They rotate through the following passwords: Password1!, Password2!, Password3!, Password4!, Password5!

Actually, if you think about it, standardizing on those kinds of requirements is kind of dumb, since it limits the combinations of different passwords people can use. If an attacker knows these requirements, and wants to attempt a brute-force attack, he start by ruling out anything with fewer than 8 characters, and any combination lacking in symbols, capital letters, etc. Now, that doesn't cut out that many possible combinations, but you can start by ruling out short words, assume that the first letter will be capital, assume that the numbers will be at the end, and there's a good chance the whole thing ends in an exclamation mark. I've seen a lot of passwords, and it's always an exclamation mark at the end.

And then there's always someone who pops up with the clever advice of substituting symbols for letters. "The password 'password' is completely insecure. Instead, use 'P@ssw0rd!'. Hackers can't guess your password if it has symbols, numbers, and punctuation!" Ummm... no. those kinds of substitutions have been included in dictionary attacks for a long time now. "P@ssw0rd!" is not a strong password.

The "correcthorsebatterystaple" is actually pretty good advice at this point, all things considered.

That's a problem with that website, but there's no way to help that. You can still use "correcthorsebatterystaple" in websites with sensible password requirements. Different sites having different password requirements is only really a problem if you're reusing passwords, which you're kind of not supposed to do anyhow.

Unless you're talking about something that I'm not getting, it's not susceptible to a dictionary attack. The individual words may be, but a brute force attack would still need to guess all of those words in that order.

Unless the poem is in your dictionary, I suppose. In that case, the attacker could just take the poem and use the first letter in every word, and include that in their dictionary. But "correct horse battery staple" is not particularly vulnerable to brute-force dictionary attacks because there are far more words in the English language than their are letters. So if you were going to brute-force passwords, it'd be easier to guess 7 random letters than 7 random words, even with a complete dictionary of words.

Password managers don't really solve the problem. Many of them aren't really cross platform (by which I mean, they sync with and are accessible by all your programs/browsers for all of your devices), and as he recognizes, there will be some passwords that you can't store in the manager (e.g. the password to the manager itself, and for the devices that access your password manager). Beyond that, I didn't see any recognition anywhere that there are at least some services that you might want to access somewhere where you don't have access to a password manager. For example, the selling point of both webmail and services like Dropbox are that you can access your data on another person's computer. Are you going to want to download, install, and sign into a password manager on another person's computer.

So yes, password actually do need to be both memorable and strong.

However, I'd agree with him that really, passwords need to die. Or not actually die completely, but most sites should not require their own password. What we really need is some kind of standardized identity management system-- like you know how you can sign onto various sites using either your Facebook or Google+ sign-on? Like that, but standardized. We need a true single-sign-on solution that is easy to manage, hard to screw up and lose your identity permanently, and usable everywhere.

This has been obvious for well over a decade, but we can't do it because we don't create standards anymore. For any solution, Microsoft wants to have their solution, Facebook wants theirs, Google wants to do it their own way, and Apple wants to do something different from all the rest. Each company pretty much wants a solution that will benefit themselves and screw over their competitors. None are really focused on creating the best solution for social/economic/computing progress, and if they were, it would still be impossible to get others on board. So that's the real problem. Unwillingness to create standards.

My point is, the OP was arguing that it was wrong to assign responsibility to these celebrities because the celebrities knowingly performed a risk/benefit analysis and determined that the risk was worth the benefit. I'm saying that's a weak argument, since we don't always absolve people of responsibility when they perform a risk/benefit analysis and determine that the risk is low. On the contrary, when people actually understand the risks that they're taking, we're usually more likely to assign responsibility when those risks are realized.

That's not to say that we should assign responsibility/blame to the celebrities, but at this point, what is there to be done? You can try to catch the people who committed crimes, and you can try to prosecute those people for those crimes. Aside from that, if you want to know how to avoid having something like this happening to you, I have some very simple and obvious advice.

Yeah, it's not quite a solution to spam, but I've had periods where I get a lot of spam in Cyrillic or Chinese/Japanese characters, and it would have been nice to be able to at least say, "If the email isn't using the Latin alphabet, treat it as suspect because I don't read any languages that use any other alphabets."

I've always thought part of the key to putting a dent in spam would be to make cryptographic email signatures ubiquitous. Then we could check the signature against a valid authority, and if an authority is vouching for too many spammers, then you yank its status as "a valid authority". Then it becomes the authority's job to self-police. Of course, getting people onboard with something like that is impossible.

Now how does your solution in checking "origin" compare with something like SPF? What is it checking the origin against?

And what if one of your friends goes to Russia on vacation and wants to send you an email?

I think this is a helpful perspective-- it's not about blame, it's about advice.

It's not your fault if you have your personal photos stolen, but that doesn't change what my advice would be to anyone who is concerned: If you don't want someone to see your nude photos, don't allow nude photos to exist.

And on a side note, I don't think the idea is correct that these celebrities did an effective risk/benefit analysis and found that the benefits outweighed the risk. First, because I'm dubious about the benefits of keeping nude photos of yourself. Second, and more importantly, because I don't think the risk is small.

The OP claims, "a vanishly small proportion of [nude photos] get stolen in security breaches of cloud storage," but I would wonder if we have any data on that. Maybe it happens all the time, but we just don't hear about it because the victims aren't celebrities. Not being a celebrity means both: (a) even if the photos were stolen, there's a much smaller chance that the victim would ever find out; and (b) even if the photos were stolen and the victim found out, there's a much smaller chance the general public would ever hear about it. The OP even acknowledges, "usually the far greater risk is that the recipient will forward the image to other people until it gets out of control," which essentially has the same effect. So even if you aren't concerned about cloud breaches, you should still be concerned about the photos being seen by people other than the intended recipients. (Actually, this is an important issue, since we don't know that all of the leaked photos came from a security breach, and some of them may have been leaked by the recipient forwarding the image to others).

But aside from all that, there's still another problem with this argument: even in cases where people have done a risk/benefit analysis and determined that there's a low risk, we still don't exempt people from the responsibility of that risk. Imagine that I invest all my money in a company that is, by all accounts, a safe investment. After some period of time, that company fails and I lose my investment. That stinks. I calculated my risk, and had no way of knowing that my investment was going to have bad results. It may be true that no one would blame me, but that doesn't mean that I can expect to get my money back. Someone might reasonably say to me, "That's bad luck, but you knew there was a risk when you bought the stock. It was a small risk, but a risk none the less, and you took that risk knowingly."

All in all, I think we need to stop trying to figure out blame, and figure out how to proceed. My advice to anyone out there is, if you can't handle the risk of someone seeing your nude photos, then don't take nude photos. Certainly don't store them online.

Yeah, I keep seeing people talk about how cell phone carriers are going to get screwed by VoIP apps and SMS-replacement apps, which makes me wonder, has nobody looked at the carrier's websites in a couple of years?

Carriers have started changing their plans to have unlimited talk/text, charging for data bandwidth instead. They're moving their own voice service to VoIP. You may have an old-style plan grandfathered in, and the carriers may still have some other specialty plan with limited talk/text for a little cheaper, but the plans that they're actively advertising are all unlimited talk/text. IIRC, this has been the case for over a year.

Only if they don't have the Facebook Messenger app or the Facebook app on their phone. And following that logic, they might not have the Whatsapp app on their phone, in which case I guess they'll never get your message.

I don't see how disallowing someone to check their messages except on their cell phone is a "feature".

I would say... Facetime yes, Youtube no...?

I think Facetime allows you to make real-time voice calls, whereas Youtube doesn't. I'm pretty sure that's what people mean by VoIP. Voice over IP: Real-time voice-based conversations over an IP network.

As far as I know, it does not need to be able to connect to the analog POTS network to be considered VoIP, but as with many terms, the precise details might depend on who you ask.

I'd put that in a different category altogether. People like Washington and Jefferson are quasi-mythological figures at this point. Almost everyone admires them for reasons that may even be fictional (Washington can't tell lies?), while very few would actually condone their ownership of slaves-- except maybe on the grounds that we should judge them in their historical context as opposed to judging them against our current social mores.

And I don't think it's necessarily that Democrats don't admire some historical figures. I'm just saying their rhetoric doesn't include the appeal to authority of those figures. They don't seem to feel the same need to invoke them in debates, to claim that we should do something *because* a historical figure said it was the right thing to do. There isn't the same sense of "[whichever historical figure] said [x], and he was a great man who was smarter than we are today, so we should follow that advice."

I could be wrong-- I haven't done a statistical analysis of this or anything-- but that's my sense. So because of this kind of appeal to authority, if an opponent can demonstrate that those same authority figures would disagree with what Republicans are saying, then it *is* sort of damning. If I say "We should do [x, y, and z] because Ronald Reagan said so," you may or may not find that argument compelling. However, if that is the basis of my argument, and then you say, "Well actually, I have quotes where Reagan said [x, y, and z] are all bad ideas," then you pretty well blew my argument out of the water.

My memory of it was that it kind-of-sort-of worked most of the time. Kind of. It was a bit slow-going and there were some characters it would be finicky about recognizing some characters. Of course, that was over 10 years ago now, and I don't actually remember very well. I just remember being disappointed that it didn't work as well as I'd hoped.

I don't doubt that part of the problem was my awful handwriting. I've spent most of my life typing, and my handwriting was barely legible when I was practicing it. I've always thought that part of the value of using computers is that I didn't need the kind of coordination and practice necessary for neat handwriting, so I have my doubts about any handwriting recognition solution. If you make me trace out individual letters with my finger onto a screen the size of my watch, I think it's going to get messy.

Personally, I'd be fine with a wider watch. It's not like I need articulation on my forearm. Think "Less like a watch, more like a pip-boy."

Obviously, the trick would be to make it thin, lightweight, and comfortable enough that people would actually wear it. But even if you just made it the width of a standard cell phone keyboard, you could have one-hand operation at roughly twice the width of a standard watch. the extra width should even allow you to spread the components out over a larger area, allowing for a thinner device.