-snip-

[Ux]

-snip-

[1715046004]

1715046004

[1715046004]

1715046004

[1715046004]

1715046004

[o_e_l_e_o]

Generating your own passwords is usually a bad idea, as humans are bad at being random, and create things which are easy to remember. The best solution to this problem is simply to use a password manager, something like KeePass for example. It will securely generate a different long and random password for every site you need it to. All these passwords are encrypted and stored locally, and can be protected with a combination of a master password, a key file, and 2FA.

As an aside, in your examples above I would disagree with your second example (orange text) being "okay". This practice is only trivially better than using identical passwords across sites. I would probably rename the first two categories to "very bad" and "bad", and remove "okay" altogether.

[Ux]

Generating your own passwords is usually a bad idea, as humans are bad at being random, and create things which are easy to remember. The best solution to this problem is simply to use a password manager, something like KeePass for example. It will securely generate a different long and random password for every site you need it to. All these passwords are encrypted and stored locally, and can be protected with a combination of a master password, a key file, and 2FA.

As an aside, in your examples above I would disagree with your second example (orange text) being "okay". This practice is only trivially better than using identical passwords across sites. I would probably rename the first two categories to "very bad" and "bad", and remove "okay" altogether.

I have taken your feedback in to account and adjusted the post accordingly, thanks for the help

[mk4]

And just to add to this, make sure your master password is also actually secure. If your online accounts' password are secure while your password manager's password is unsecure, it defeats the purpose. If anything, it could be worse. Make sure your master password is difficult enough to guess and difficult enough to bruteforce[1].

and also, if possible, use the max number of characters for your online accounts(mostly 40 as far as I know). Your password manager generates it anyway so there should be no difference in terms of user experience.
[1] https://en.wikipedia.org/wiki/Brute-force_attack

[Ux]

And just to add to this, make sure your master password is also actually secure. If your online accounts' password are secure while your password manager's password is unsecure, it defeats the purpose. If anything, it could be worse. Make sure your master password is difficult enough to guess and difficult enough to bruteforce[1].

and also, if possible, use the max number of characters for your online accounts(mostly 40 as far as I know). Your password manager generates it anyway so there should be no difference in terms of user experience.
[1] https://en.wikipedia.org/wiki/Brute-force_attack

The aforementioned managers are only as secure as you make them, keepass and lastpass are not cloud based, as stated before, they are non custodial and the data is stored on your PC. I'll add a little footnote about bruteforcing in a little bit, thanks for the suggestion

[elda34b]

I always check the entropy if I want to make my own password that is easy enough to remember but difficult to brute-force. If you want to make a master password, maybe you should do that too, or simply use the generated password from your password manager as long as you can remember or store it in a safe place.

[mk4]

The aforementioned managers are only as secure as you make them, keepass and lastpass are not cloud based, as stated before, they are non custodial and the data is stored on your PC. I'll add a little footnote about bruteforcing in a little bit, thanks for the suggestion

True. But though unlikely, you can still be a target and your .kdbx can still be stolen from your computer or from your Dropbox account(or whatever cloud service you're using). Especially when you flaunt online saying stupid unnecessarily things like "my Binance account has 500 BTC" or something along those lines.

[DdmrDdmr]

I came across a survey that Google had performed alongside Harris Poll on online security. While the survey’s scope is limited (3k people in the U.S.), and the conclusions may well vary from country to country, it gives us a ballpark idea of just how common password reusage is:

52% reuse the same password for multiple (but not all) accounts
35% Use a different password for all accounts
13% Reuse the same password for all their accounts

(see http://services.google.com/fh/files/blogs/google_security_infographic.pdf )

[Pmalek]

The HaveIBeenPwned website was mentioned on this forum before but I remember a post by one user who said that the site could also be a way for a malicious user to get a new list of emails that are still in use and have some sort of importance to their users.

For example, lets say that the site is hosted by someone with bad intentions. He could easily check which email addresses have been searched on his site. Those emails were probably entered because they are important enough for their owners to check if they got hacked or not.   

The owner of the HaveIBeenPwned site now has a new list of email accounts that he can use and investigate further. 

[Ux]

The HaveIBeenPwned website was mentioned on this forum before but I remember a post by one user who said that the site could also be a way for a malicious user to get a new list of emails that are still in use and have some sort of importance to their users.

For example, lets say that the site is hosted by someone with bad intentions. He could easily check which email addresses have been searched on his site. Those emails were probably entered because they are important enough for their owners to check if they got hacked or not.   

The owner of the HaveIBeenPwned site now has a new list of email accounts that he can use and investigate further. 

Valid concern, but HaveIBeenPwned is very trusted and has hundreds of thousands of lookups on it.
It is transparent and if I remember correctly there was an external audit of the website's source.
if you don't feel comfortable using haveibeenpwned, you can look you email up straight in the source, the actual leaked databases themselves, but that would take extensive space on your computer to download literally terabytes of leaked data haha

[o_e_l_e_o]

you can still be a target and your .kdbx can still be stolen from your computer or from your Dropbox account(or whatever cloud service you're using).

Absolutely. You should only store you password database locally, and use a difficult to brute force password as mentioned. Additionally, both KeePass and LastPass offer additional ways of securing your file. KeePass allows using a key file along with a password, for example. Store the key file only on a USB stick (for example) and obviously never on the same device as your password database, and then an attacker will need to compromise 3 things to steal your passwords - steal your database file, brute force your password, and steal your USB stick. LastPass has a variety of multi factor methods, including LastPass app, biometric identification, and working on approved devices only.

[sheenshane]

Very informative thread.
Creating a strong password that should be tricky and very hard to guess but easy to remember and aside from the password always put a multi-layer of security of your account with 2FA code. And here is the thread of how to make a strong password if you need more references, [GUIDE] How to Create a Strong/Secure Password.

I used the same password on a website if I activated my 2FA code, I feel safe when I activate that 2FA because the code was always on my mobile phone which is safe. And of course, my Gmail account must be unique and always keep lengthy( Good stuff would be the use of passphrases).
Also, I may advise if you have changed your password regularly and don't forget to save in a piece of paper and store in a safe place.

[TryNinja]

The aforementioned managers are only as secure as you make them, keepass and lastpass are not cloud based, as stated before, they are non custodial and the data is stored on your PC.

I'm pretty sure LastPass is actually cloud-based?

KeePass is great and doesn't store anything anywhere (other than in a file on your PC) unless you download an specificy plugin to make it sync with cloud storages (Drive, Dropbox, etc...). But Lastpass is fully online.

[Ux]

The aforementioned managers are only as secure as you make them, keepass and lastpass are not cloud based, as stated before, they are non custodial and the data is stored on your PC.

I'm pretty sure LastPass is actually cloud-based?

KeePass is great and doesn't store anything anywhere (other than in a file on your PC) unless you download an specificy plugin to make it sync with cloud storages (Drive, Dropbox, etc...). But Lastpass is fully online.

https://support.logmeininc.com/lastpass/help/where-is-my-lastpass-data-stored-on-my-computer-lp070008
LastPass is non custodial aswell lol
I personally prefer lastpass due to the modern UI

[TryNinja]

https://support.logmeininc.com/lastpass/help/where-is-my-lastpass-data-stored-on-my-computer-lp070008
LastPass is non custodial aswell lol
I personally prefer lastpass due to the modern UI

Yes, they are stored in your PC for convenience (so you can still access them when offline). But why do you think you can log in from anywhere with your email and password to see your data? Because it is custodial

Just because they offer a cached offline access doesn't mean that they don't store your data. lol

Maybe check this?
https://support.logmeininc.com/lastpass/help/how-is-lastpass-safe-lp010089

[Ux]

https://support.logmeininc.com/lastpass/help/where-is-my-lastpass-data-stored-on-my-computer-lp070008
LastPass is non custodial aswell lol
I personally prefer lastpass due to the modern UI

Yes, they are stored in your PC for convenience (so you can still access them when offline). But why do you think you can log in from anywhere with your email and password to see your data? Because it is custodial

Just because they offer a cached offline access doesn't mean that they don't store your data. lol

Maybe check this?
https://support.logmeininc.com/lastpass/help/how-is-lastpass-safe-lp010089

Oh haha, my bad, will edit the OP in a moment

[Ryutaro]

I came across dashlane by accident and I started using it. It is extremely helpful, you can easily manage many accounts. Also, it tells you if your password has been compromised so you can change it by a simple click without logging into your account, plus, the app can log you to websites without the need to fill your information every time but to get all features you need the premium version. $$

[Indamuck]

I don't trust the HaveIBeenPwned website, they could be seeing what email addresses people still use and care about.  Once you type your email address into it they know that is may have some type of value attached to it.