Use the “passwords” feature to check if one of yours is compromised. If it shows up, never ever reuse those credentials. They’ll be baked into thousands of botnets etc. and be forevermore part of automated break-in attempts until one randomly succeeds.
Protip for the room: Use a password manager with a unique password for every service. Then when one leaks, it only affects that singular service, not large swaths of your digital life.
Also, length is most of what matters. A full length sentence in lowercase with easy to type finger/key flow for pw manager master, and don’t know a single other password. Can someone correct me if I’m wrong?
As always, the most secure password is the least convenient and accessible. It’s a trade off, but you want fewer dictionary words and patterns overall. Preferably with a physical component for the master password.
Longer is better…giggitty.
I’ve found that there are a handful of passwords that you need to remember, the rest can go in the password manager. This includes the password for the password manager, of course, but also passwords for your computer/phone (since you need to log in before you can access the password manager), and your email (to be able to recover your password for the password manager).
You are also correct that length is mostly what matters, but also throwing in a random capitalization, a number or two, and some special character will greatly increase the required search space. Also using uncommon words, or words in other languages than english can also greatly increase the resistance to dictionary attacks.
If your password manager has a password recovery mechanism, that means your key is stored on the server and would be compromised in a breach. If that’s the case, I highly recommend changing password managers.
The ideal way a password manager works is by having all encryption done client-side and never sending the password to the server. If the server cannot decrypt your password data, neither can an attacker. That’s how my password manager works (Bitwarden), and I highly recommend restricting your options only to password managers with that property.
If you need a backup, write it in a notebook and keep it in a safe. If your house gets broken into, change your password immediately before the thief has a chance to rifle through the stuff they stole. My SO and I have shared passwords to all important credentials, so that’s out backup mechanism.
Okay, but hackers don’t have to know whether I used special character or just lowercase? Or am I stoopid?
I use a “password pattern”, rather than remembering all the passwords, I just remember a rule I have for how passwords are done, there are some numbers and letters that change depending on what the service is so every password is unique and I can easily remember all of them as long as I remember the rules I put in place
deleted by creator
Also 2FA. You’ll still want to change passwords but it buys you time.
And when that password manager gets cracked?
Got any examples? Because I have…some…examples of password reuse being a real-life problem.
Yes and no; they have their own issues:
https://cybersecuritynews.com/hackers-weaponize-keepass-password-manager/
Don’t download shit from random websites… make sure its from legit places…
My university, 23andMe, Transunion, Equifax, CapitalOne, United Healthcare…
You shouldn’t download KeePass from any of those.
Yeah UHC sold my data as soon as I was put under their coverage. Now I get so many phishing emails pretending to be from UHC.
Legit means the keepass website… those are not legit places to download the password manager
These kinds of breaches are at the site level. Not much you can do as a regular user if the company doesn’t hash or salt their passwords, for example.
I believe they are replying to the article you posted in regards to the download from legit sites comment, not the fact that the sites have shit web practices (which while correct is a different thing).
To the people who didn’t read the article posted in the comment prior, basically the software installed wasn’t the legitimate software, it was a modified software that was a trojan that was forwarding passwords stored in the keepass database to a home server.
That’s not something that the sites are going wrong, nor is it the password managers fault. That’s fully the users fault for downloading a trojan.
Not from what the article says
Oh, so don’t use unique passwords? Sure buddy.
deleted by creator