Passwords Are a Design Problem –

Designer Khoi Vinh weighs in on a recent article called The Ultimate Guide to Strong Passwords in 2019, by Jon Xavier. This article points out how to have the strongest password: how long it should be, that it doesn’t need special characters or numbers, that there’s no need to regularly change it unless it has been compromized, etc.

Vinh points out my biggest annoyances with password managers (like him, I use 1Password).

It’s also difficult for a password manager to understand when a password is applicable to more than one site or app. Once a password is created, it’s often matched exclusively to the domain of that site. So if your login is also valid on a closely related site, as is the case with many sites from large companies, the password manager won’t automatically recognize the relationship and present the relevant login.

I have lots of sites where I have passwords stored for,,, etc. If I just look at Apple, which has a number of sub-domains, and check one of my passwords, 1Password shows me this:

Reused passwords

They’re not “reused,” they are just used with different subdomains:

Arguably, some of these are no longer used, but 1Password cannot understand that it is not wrong to use the same password for all these sites. I understand that there are cases where different sub-domains should have different passwords, but a password manager should be able to allow you to map a password to a domain regardless of its subdomain.

Another example is Amazon. You may not know this, but if you have an account with one Amazon store, you can use it in any Amazon store (US, UK, Canada, etc.). I do use multiple Amazon stores, and have a separate login in 1Password for each one. So there is a long list of Amazon logins, with various subdomains – 54 in all – and these can’t all be grouped. The ones with different sub-domains can, but each store (each country) has a different top-level domain.

Source: Passwords Are a Design Problem +