Passwords and Online Accounts
With recent developments regarding storyofrachel's accounts being targeted and compromised, I think it's pretty important to show that a major lesson can be learned about how to protect your online accounts. Hopefully you've already heard and live by all that is below in the post, but for those that don't, consider this a good entry to securing your online accounts.
- Don't use the same username for two different services
This is one of the easiest ways to link two accounts to the same user. Malicious actors will have a much more difficult time knowing all the services you use if the names are unique and unrelated.
- Don't use the same password more than once
We're all guilty of this. Convenience is a sweet siren, but if one account is ever compromised, it can domino to all of your other accounts if they share the same password.
- Change your passwords regularly
Even if your password is secure, it is good practice to regularly update these passwords. By changing your password every 6 months, a service breach from 1 year ago won't do much to compromise your account.
- Use Multi-Factor Authentication
There are three main ways to prove an identity: something you know (password), something you have (phone), or something you are (fingerprint). Your security improves dramatically when using two of these to log into services. Most of the time, this is in the form of the service sending you a text message when you log in. If someone knows your password, they would also need your phone (or a way to intercept your texts). If/When ChaCha gets MFA, enable it as soon as you can. ZDNet released a good article today on MFA so please take the time to at least skim through
Regarding 2 and 3, using a password manager such as KeePass, Lastpass, or Bitwarden can make generating and keeping up with your passwords a breeze.
A password manager becomes a single point of failure. If it ever gets breached, are you not completely fucked?
Potentially, yes. However, it is something to think about on a personal threat model. For 99% of people, a password manager will greatly improve their security. An individual will likely know if they are at a point that they cannot trust a password manager, and this guide would be moot.
In addition, it is my hope that if you use a password manager, MFA is enabled to reduce the chance of a breach even more.
Agree with fuschia here- your threat model should influence what type of password manager you use. However, you should still use one. If you're super worried about giving your passwords to another service, even if it's something open source like bitwarden, you can use KeepassXC with hardware 2FA challenge-response. KeepassXC keeps your password database on your computer, and not on a server somewhere.
Besides, it's not like these services are storing your passwords unencrypted. These sites never see your passwords, only the encrypted versions of them - and your password is the encryption key. If the site ever gets breached, all that should be stolen is encrypted password databases, which will be bad, but they would need to be decrypted before they can be used. If you are using a strong master password/passphrase, brute forcing your database should be extremely difficult, if not near impossible. (And you NEED to be using a strong master PASSPHRASE).
I honesty cannot think of a situation where an individual shouldn't store most of their passwords in a password manager. The increase in security provided by using strong, randomized passwords for each service far outweighs any minute risk of compromise.