I’d say for a secure password in a manager, it’s not really harmful.
Someone who uses a manager and secure passwords will usually be aware of the “generate me a new unique, secure password” feature, so they will generate a new one and simply paste that into the page. They might be inclined to just add the bad practice “-01” although it honestly doesn’t make a unique, secure password worse unless the unencrypted password was somehow leaked. The delay in emergency situations mentioned in the post might still happen, although the harm there will depend on the exact situation and likely usually fall into the “annoying delay” category.
I absolutely agree that forced password changes need to die simply because a majority of users still tries to remember passwords and is therefore prone to bad practices, but for someone with a password manager and unique passwords it’s more unnecessary and annoying than actively harmful.
I used to have a friend’s password somewhere that used rotation and I’d just have to do a quick bit of maths to figure out the final number. Surely there are bots that are smart enough to automate this: mysuperstrongpass01 -> mysuperstrongpass02, mysuperstrongpass03 etc. [edit: the article alludes to this, but then I most of our comments here and on the link are not very original either!]
Password reuse is probably the worst security flaw nowadays, and a strong but reused password is basically no better than classics like password1 after a depressingly small amount of time/services.
I’d say for a secure password in a manager, it’s not really harmful.
Someone who uses a manager and secure passwords will usually be aware of the “generate me a new unique, secure password” feature, so they will generate a new one and simply paste that into the page. They might be inclined to just add the bad practice “-01” although it honestly doesn’t make a unique, secure password worse unless the unencrypted password was somehow leaked. The delay in emergency situations mentioned in the post might still happen, although the harm there will depend on the exact situation and likely usually fall into the “annoying delay” category.
I absolutely agree that forced password changes need to die simply because a majority of users still tries to remember passwords and is therefore prone to bad practices, but for someone with a password manager and unique passwords it’s more unnecessary and annoying than actively harmful.
I used to have a friend’s password somewhere that used rotation and I’d just have to do a quick bit of maths to figure out the final number. Surely there are bots that are smart enough to automate this: mysuperstrongpass01 -> mysuperstrongpass02, mysuperstrongpass03 etc. [edit: the article alludes to this, but then I most of our comments here and on the link are not very original either!]
Password reuse is probably the worst security flaw nowadays, and a strong but reused password is basically no better than classics like password1 after a depressingly small amount of time/services.