> according to security.org’s password-strength-checker [1] that will take a computer 200,000,000 years to crack
These types of things are very misleading. It is rare for a password to be bruteforced in general, it is unusual for the attacker to have the hashes of the actual site for an offline attack. Hopefully if the dev is competent there is rate limiting for an online attack. If the dev is competent they are hashing with argon2, pbkdf2, bcrypt etc tgat slows things down.
Anyways - 95% of password based attacks are using the same password in multiple places with one of the other sites getting hacked (someone's probably going to point out exceptions, and they do exist). Unless your password is absolutely terrible, the threat is not lack of password complexity but lack of password uniqueness.
Just to put it in perspective - 2FA is usually a six digit number, and that is considered secure since there are rate limits, and the user cannot reuse the key on multiple site. The security.org site says that can be cracked in 25 microseconds. There is obviously more to it then that since 2FA codes last more than 25 microseconds.
I should have clarified that I’m talking about my login and iCloud passwords here. For websites, I always use hide-my-email (hey, I wrote the client-side code for it) and a safari-suggested unique password for exactly the reason you mention.
I do share those two (different) passwords around the machines I own, (ie: all login passwords are the same, and the iCloud password is shared of course) but I don’t see that as extending my risk at all. All of those machines are under my control for the login, and I know how well Apple secure the iCloud one.
These types of things are very misleading. It is rare for a password to be bruteforced in general, it is unusual for the attacker to have the hashes of the actual site for an offline attack. Hopefully if the dev is competent there is rate limiting for an online attack. If the dev is competent they are hashing with argon2, pbkdf2, bcrypt etc tgat slows things down.
Anyways - 95% of password based attacks are using the same password in multiple places with one of the other sites getting hacked (someone's probably going to point out exceptions, and they do exist). Unless your password is absolutely terrible, the threat is not lack of password complexity but lack of password uniqueness.
Just to put it in perspective - 2FA is usually a six digit number, and that is considered secure since there are rate limits, and the user cannot reuse the key on multiple site. The security.org site says that can be cracked in 25 microseconds. There is obviously more to it then that since 2FA codes last more than 25 microseconds.