I often get requests for account help from users and new registrants here. Many times those users voluntarily send me their password, thinking it will somehow help with the request.

Don't ever do this. System administrators and technical help people don't need your password to fix your account issues, and they won't ever ask for it. If they do, don't tell them. It's probably a scam or phishing of some sort.

Account hacking/identify theft isn't a difficult endeavor. One way your accounts get hacked is when another site you've signed up for gets hacked and their user database stolen. If that user database has clear text (unencrypted) passwords, now that hacker has your username, email, and password. It's likely you've used the same combo on other sites, or your email account, or god forbid...your online banking.

A good website security design requires that your passwords are encrypted on the back end so that no one can just look in the database (whether stealthily or after stealing it) and find your password. An administrator already has the power to reset your password, changed your username, activate your account, etc.

Don't volunteer your password to anyone, even if asked.

<password rant>
Passwords are a huge pain in the backside. As Zzz pointed out, never use the same password at several different websites. Eventually, one of those sites will be compromised, and it will probably be the one that didn't take care to encrypt your password. Before you know it, your password will end up in the hands of hackers.

This page:

https://www.avast.com/hackcheck/

Will ask for your email, then send you an email that shows you what passwords are out in the wild.

So if the only way to protect against this is to use a different password for every site, then the best way to manage that is through a password safe program. It takes a master password, then uses that to encrypt a database with all of your other passwords. Think of it like writing down all of your passwords on a piece of paper, and putting it in your safe. You only need to remember the master password/safe password, then you can get to the rest of them.

Here are a few to look at:

online ones:
https://1password.com/
https://www.keepersecurity.com/

https://www.pcmag.com/roundup/300318/th ... d-managers

One other thing to point out. I use 1password and my wife has my master password. Should I become the smoking hole at the end of the runway, she will be able to get access to everything she needs to get access to. I don't want her to have to deal with tracking down the insurance information.

<end rant>

Carry on.

The best password is the one so complex, you can't remember it.
Start using password managers and stop adding !123 to the end of the one you've gotten used to typing.

https://www.secureauth.com/blog/confess ... rd-tweaker
https://www.secureauth.com/blog/Confess ... ker-Part-2

LastPass user here. I love using it to generate 16 character gibberish passwords. Good luck using a brute force cracker or rainbow table on those.

I use Google chrome with two factor verification on my Google account. You're not getting in to my important stuff unless you have my phone in your hand.

I have one password that I use for things like this that I could care less if anybody has it. I have pretty much the same password for every forum, Garmin, etc, nothing that's critical.

For banking etc or anything that involves money I have a long super secure password.

I'm highly in favor of having a junk password that's for stuff that really doesn't matter, highly secure for other stuff that does matter.

I rarely find anymore that after really working on having a system and keeping it straight that I don't remember a password or chrome doesn't.

The two factor verification through Google is pretty much hard to hack from what I know.

There are plenty of people out there that have really stupid passwords and do really stupid things with online security. I think a little bit due diligence will make somebody just move on to the next one and not mess with you.

As long as your really hard bank passwords are only used at one bank each. Once you hack a company, cracking encrypted passwords isn’t difficult. Then, they try those credentials everywhere on the internet to see where else they work. Credential Stuffing. Or a simple variation of your known credentials. Password Fuzzing.
So your ‘junk’ password used everywhere and they get access to all those sites and scrape them for your personal info. Once they have the info, they package it up and sell your identity on the dark web. Password re-use is a really bad idea.

Two factor is better but we’ve shown that even Push to Accept (google 2fa) can be defeated without access to the phone through user fatigue. Sending a PIN via SMS is even easier to defeat and shouldn’t be considered 2FA in this day and age. Of them all, on device PIN generation from a second trusted device (sorry Android users) seems to be the strongest.

HavIng your browser remember all your passwords is like putting all of your keys under the front doormat. Compromise the browser by a malicious pop up add and they have every single username, password and web address you’ve ever typed in.

LastPass or some of the other password managers are the best way to go.

I'm liking LastPass, is the basic version really free or just for the first 30 days !!!!

Mapleflt wrote:I'm liking LastPass, is the basic version really free or just for the first 30 days !!!!

It's Free free. The premium pay version gives you a few features useful in a corporate environment but the free one is perfect of the home and family.

Cool, I'm sold