You could lose your life savings by being sloppy with passwords. So maybe it is worth some effort to improve your security?
Start by improving upon your own current practices, and keep doing so over time. You can make things a billion times better with little effort—literally.
The simplest advice I can give is this: think of a password not as a word, but as a multiple words or a phrase hence the term passphrase. That alone tends to generate far superior passwords, if nothing else, longer. A simple example is "tomatoes-are-not-a-vegetable".
Below, this is an outstanding article, albeit too long for many to deal with all at once. Accordingly, parts of it are quoted here with some of the best ideas called out.
...We all need hundreds of passwords that need to created, stored and retrieved. When creating them, they need to be reasonably long and reasonably unique...
...Long passwords (12 characters is probably a minimum length, the exact number is debatable) defeat brute force guessing attacks...
PAPER HAS ITS PLACE... keep your most important passwords away from any type of computing device.
... a password formula is a great solution. It solves three problems: it makes retrieving passwords easy and it helps create reasonably long and reasonably unique passwords.... consider a password as a two part thing.
One part never changes, its something meaningful to you that you will never forget. The other part does change but can be very simple and also meaningful to you. That's it. A constant and a variable. This should help you create dozens of unique, yet easily remembered, passwords.
...speaking as computer nerd, I cannot stress enough how important it is to not re-use passwords...
...ARGUING AGAINST PASSWORD MANAGER SOFTWARE: knee-jerk reaction of techies, is typically to use a password manager. I think a formula is often a better option...
...The best way to deal with security questions was to treat them like a second password. When asked the name of a person, give the name of a place. When asked the name of a place, use the name of a person instead...
...LIE TO YOUR PASSWORD MANAGER...
...PASSWORDS CAN BE TOO SECURE...
...BEWARE OF BROWSER EXTENSIONS...They see everything on every web page...
MPG: note the first comment “We all need hundreds of passwords...”. I’d bet that most people have fewer than 5 passwords, heavily re-using them.
I do use a password manager, but I agree it is largely for techies and has a significant learning curve for ordinary users to master, even setting aside the other issues with one, which demand additional techie knowledge because of the “all eggs in one basket” approach. For such users, paper passwords using a password formula approach may be the best idea.
If you use paper for passwords, do append a prefix and/or suffix to all of them, but do NOT write that down. Then even if your paper is obtained, they won’t work without that additional prefix/suffix.
I also incorporate a formula approach along with extra rules. And I use gibberish passwords intentionally for some sites, so that even *I* cannot remember them—perfect for a password manager. I mix various rules to suit, depending on the importance of the login. And I use 2FA (two factor authentication) in some cases (password plus a one-time-use code).
Anti-security web-site design
Most web sites force us to use an email address to login. Not only does this mean it has to be an active email (which might later go dead), it defeats security in a big way, since the user login name is now known in advance. This hugely simplifies the job of hackers breaking into accounts across services, particularly those that re-use the same password! Stupid beyond belief, but that’s how sites are designed these days—by morons. These same morons often prohibit various characters for passwords and/or length of passwords—unbelievable. These same morons make you provide answers to fixed security questions—terrible idea.
Apple iOS makes it such a pain in the ass to enter a complex password, that most users (including me) choose mediocre passwords. It’s a total fail in every way. Shame on Apple for making it so hard.
For example, I cannot use a complex password because I often mis-type it, which I cannot see, because Apple hides the typed text from me as I type it! Then if I get it wrong more than a few times, some sites lock me out. You cannot win with such a stupid design. Accordingly, I just do not use my phone or iPad for things that require a password—I refuse the two shitty choices of poor security or difficult-to-use.
See also: Why Passkeys Will Be Simpler and More Secure Than Passwords.
After noting that LastPass had been hacked, I was curious as to whether 1Password (which I have used for years, and see that you do too) had a blog post that mentioned it. They do, and it has a very interesting section about the advantages of optimizing the security of passwords by maximizing randomness — something I hadn’t thought through previously.
MPG: I hadn’t realized how incompetent some password managers are, like LastPass. I worked in security (encryption, Pretty Good Privacy aka PGP) for years so I consider myself competent in evaluating the general security approach of a product, and it sure looks like 1Password does things right.
Reader Tait S writes:
I had been a theoretical believer until I checked this website: https://haveibeenpwned.com/
Now I have password religion!
MPG: that's a good site to check. It has some connection to 1Password password manager, which I use, and as far as I know has proven secure over the years—so far so good. But you can never really know how good code is; assurances are worth little because the programmers themselves by definition are unaware of the security flaws they do not know about.
For years I got "pay us bitcoin" emails and still do because of one incompetent web site that stored unencrypted passwords in their database.
A leaky VPN (virtual private network) can get you imprisoned or killed in some repressive countries if information is leaked to authorities*. That’s as serious a bug as it gets.
...Speaking to MacRumors, security researchers Tommy Mysk and Talal Haj Bakry explained that iOS 16's approach to VPN traffic is the same whether Lockdown mode is enabled or not. The news is significant since iOS has a persistent, unresolved issue with leaking data outside an active VPN tunnel.
In August, it again emerged that third-party VPNs for iOS and iPadOS routinely fail to route all network traffic through a secure tunnel after they have been turned on – an issue that Apple has purportedly known about for years.
Typically, when a user activates a VPN, the operating system closes all existing internet connections and then re-establishes them through the VPN tunnel. In iOS, security researchers have found that sessions and connections established before the VPN is turned on are not terminated as one would expect, and can still send data outside the VPN tunnel while it is active, leaving it potentially unencrypted and exposed to ISPs and other parties.
According to a report from privacy company Proton, an iOS VPN bypass vulnerability had been identified in iOS 13.3.1, which persisted through three subsequent updates. Apple indicated it would add Kill Switch functionality in a future software update that would allow developers to block all existing connections if a VPN tunnel is lost, but this functionality does not appear to prevent data leaks as of iOS 15 and iOS 16.
Mysk and Bakry have now discovered that iOS 16 communicates with select Apple services outside an active VPN tunnel and leaks DNS requests without the user's knowledge:
MPG: a class action lawsuit seems appropriate.
Michael A writes:
To the VPN scam on iOS:
This guy has a very actual site on the topic:
and also a very good security advice site
worth reading ;-)
MPG: for Apple to let this issue sit for so long is unconscionable. And maybe intentional, who can say for sure?