How do you track those passwords? I presume not with a password manager otherwise it would be creating your passwords for you. Do you keep them in a text file on your computer or write them down and carry them around with you or something?

I store them in an encrypted file on my computer: the encryption password is memorable, but since I have physical control of my computer (I hope!) I think the security tradeoff is a win. Rather than many memorable-but-guessable passwords scattered across numerous services, I have one memorable-but-guessable password (well, passphrase) securing a file I control.

Writing them down would probably be even better.

I use "apg".

    apg -a 0 -n 1 -m 14 -x 14 -M NCL

-a lgorithm 0 is "pronounceable". 1 is "random chars".

-n umber of passwords to generate

-m inimum and ma -x imum length

-M specifies what types of characters to use. N = Numbers C = Capital letters L = Lowercase letters. You can also add S for punctuation.

14 chars with numbers letters and caps gets you ~80 bits of entropy, which is the NIST recommended value for passwords.

I store them in 1Password. (Whose password generator I don't like, but is still infinitely better than picking your own passwords in your head.)

Why not?

I don't like that you have to specify a fixed number of numbers, special chars, etc.

I think that's cool from a UI perspective, having that control, because for some services you still want typing to be doable.

I mean, try typing this on your PC or mobile phone: &}n9$r}@pe^q;j2U33Aq8.kTa}Z2^ykQ

And compare it with this one: dn#Ze39h644s9DdTpaxRaWW&m33Vy98b

And yes, their client saves you somewhat, except that there are plenty of instances in which you resort to copy/pasting passwords. Like on Android where the integration is poor. And on the desktop as well. And guess what, copy/paste is really, really insecure, because apps can be made to listen to clipboard events, so you can have apps that are logging whatever you copy/paste. Oh, and Linux doesn't have 1Password, their old Windows client is getting replaced with a "modern Windows" app, so tough luck.

if it's truly random, then you need to if you want to guarantee you have at least 1 of various character classes..

The -M option does this in apg. (As opposed to -m, which doesn't.)

I use KeePass' password generator, which defaults to generating random sequences of 20 uppercase, lowercase, and digit characters. Usually the passwords are between 100 and 120 bits of entropy. I try to use only letters and numbers because they are easier to type on mobile phones and other non-physical-keyboard-driven devices.

That's sound advice, but most of the other people on the Internet (and most of the people in the leak) don't consider entropy when authenticating with their bank/Facebook/gmail etc.

Creating your own passwords and typing or copy/pasting them in is a broken authentication experience.

Good for you. Too bad most people can't even be bothered to use more than a couple variations of the same password.

This is an area that will get much more attention in coming years as technology finds better ways to authenticate us instead of using secret codes we have to remember.

I use pwgen for sites where I care if my account is compromised (and store them in a gpg text file), but for all those sites where I don't care, I use a terrible password, because I wouldn't care if my login on most random forums I joined to read some attachment that was members only or my linked in (if I had one) was stolen, chances are I'm going to forget I have an account there before it gets compromised, so it doesn't bother me.

I've used some sites which had a login cookie, and if you lost it, you just put your email address in and they'd send you a new link, no password needed; much nicer for many things.