Good thread after separation from Chromebooks. I've learned useful things, and it made me think through the problem more, especially the secondary aspects of the security. Here is my summary. I tagged quotes from others; everything else is my opinion.
1. Never reuse a password you care about.
-- Bruce Scheiner
a. If you have N online accounts, you need N secure passwords.
b. You must remember which password goes with which site.
c. A corollary: Never reuse the same email address for password recovery. If you have N online accounts, you need N password recovery email addresses and N email passwords.
i. An alternative is to use something other than email address as the account name. Then someone stealing your account name does not simultaneously get your recovery email address.
1. Some sites mandate a valid email address as the account name.
d. I tried and failed to delete old unused accounts. Many sites have no function for account deletion. Therefore, I have to forever remember the login information I used on those sites, in order to avoid reusing them.
i. When service providers go bankrupt, their assets including digital assets are sometimes sold to the highest bigger. Obviously, all provider security becomes moot. For example, a hospital in Phoenix failed to pay the rent on a warehouse storing patient medical records. The landlord sold the records at auction.
2. Pretty much anything that can be remembered can be cracked.
-- Bruce Scheiner
As soon as you are using a set of rules to create your password, you're screwed. --
@jack action
a. That pretty much mandates a pseudo-random software pw generator. No human method or algorithm can be secure enough.
i. If using a machine generated pw, and machine entry of your pw, it might as well be the maximum length, because you will never type it in by hand. There is no advantage to shorter passwords. My password generator can produce 256 character passwords.
3. Unless you think your password might be compromised, don’t change it.
-- Bruce Scheiner
a. Obvious corollary: If you do think your password may be compromised, change it immediately.
4. Beware the “secret question.” You don’t want a backup system for when you forget your password to be easier to break than your password.
-- Bruce Scheiner
5. Really, it’s smart to use a password manager. Or to write your passwords down on a piece of paper and secure that piece of paper.
-- Bruce Scheiner
a. Unless your handwriting skills are exceptional, writing it down means printing it. A transcription error can be almost as damaging as password theft.
i. Since transcription errors are so easy, your paper list must be tested by trying to log in using the information on the paper.
b. Don’t forget to include both the password and the account name and the site on the paper.
c. You might die. Your house can burn down. Make sure your loved ones have access to a copy of that paper list, or access to the password manager.
i. Every time you change a password, you need to regenerate the list and distribute copies to your loved ones.
ii. If you use porn or other sites that you don’t want your loved ones to know about, you need a separate security system for those.
iii. Make sure that your loved ones secure their copy of the paper.
d. I can’t trust myself to do all that stuff on paper. For me, a password manager is the only practical solution. .
6. One more piece of advice: if a site offers two-factor authentication [or MFA], seriously consider using it. It’s almost certainly a security improvement.
-- Bruce Scheiner
Not addressed in that list are the vulnerabilities of letting your login credentials be stored elsewhere. For example, I opt to let PF keep me logged in. I assume that means cookies, but sometimes browsers claim to store passwords.
Whew! What a headache all this stuff is. The future trend seems to be to use many-factor authentication, reducing or eliminating the need for secure passwords. I welcome that.