TWO FACTOR LOG IN! Code gets sent to my phone. If a web-site doesn't have 2 factor, I don't use it. End of story.
!lMp_2022 this is much better lol I love my puppy 2022 Need a password idea huh ? here is one 5/9_73&Gud_Dx
I never lock my car doors, because I live where crime is almost non existent, and I've locked myself out of my car many times. Sometimes the security features just get in the way. Had to pay a locksmith $80 one time to get back into my car, and learned my lesson to just never lock it ever again. I'm starting to get the same feeling about a lot of internet accounts. I've lost access to some of my accounts, like Facebook, because of implementing better passwords and not remembering the new fancy one, and having a computer crash and not able to use it to auto log back in. I'm better off with a simple password I remember rather than a 16 character security code that I won't be able to remember when I need it. Keys and complex passwords have never saved me once. But they have cost me and caused many problems many times.
Unfortunately, too many places including most banks rely on SMS for verification. For the others that I care about, and have a choice of implementation, I use a Yubikey.
I use the words " PLEASEHACKMEYOUF^%$#GHACKERSLETSSEEIFYOUCANHACKMEYOUF$#%^&*9DUMBF#$KS" LOL...LMAO!....Actually, I did change my password, and glad I saw this article. My new password contains 30 characters. Thank you for the information!
No one has mentioned the best password: 24446666688888888 it is pronounced: one 2, three 4, five 6, seven 8 LOL
My phone uses RCS messaging that digitally encrypts text messages between the phone and server, unlike SMS text messaging. Wouldn't that make it more secure as far as someone being able to get my MFA codes?
That only works if the hashes are not using salt. When salt is used, users with the same passwords do not have the same hash. MD5 has known vulnerabilities. There are better hash functions. I'm not arguing against good passwords but your description is a decade or two out of date. There is no excuse for a website today to be using unsalted MD5 hashes.
I like using KeePass or specifically for Linux, KeePassXC which is the current version. Since the password database resides on my equipment and not on the web, my passwords can't be hacked by some negligent employee of a cloud based password database. https://keepass.info/
True, but are we guaranteed that none of today's websites are using unsalted hashes? All you need is one site to be misconfigured w/o salt, and a dictionary attack will reveal the passwords used for that site --- and if users there have the same password for their email, they're toast. In addition, even with a salt, a compromise of a password file still allows a dictionary attack customized to that site's salt. That is much faster than trying to hack an individual's password, because hashing a large dictionary will simultaneously reveal any bad passwords of any users. Incidentally, the vulnerabilities of MD5 are not very relevant to its use for password hashes. MD5 has weaknesses that allow the construction of strong collisions, but collisions usually matter for other applications, like generating two messages with the same signature. MD5 is nevertheless deprecated on the common-sense principle that it's at least a little broken, and there are better hashes.
This is incredibly good advice. One of the big nightmare scenarios we face with passwords is someone using the same password for email that they use on another site. The other site is insecure, an attacker can get into your Gmail ... and then find all your other accounts and reset your passwords for them, through your email. You'll get reset alerts that are sent to your email, that the attacker can delete. All of that can be prevented by ensuring your passwords are unique to the site, and you don't need a complex scheme to accomplish that. A simple modifier raises your security a great deal. Speaking of which, if you ever find that one of your accounts to anything gets hacked, even something unimportant --- if someone took over a Facebook page you haven't used in years --- it's a good idea to change your email password. Even if your email password is unique. Why? Because you never know how an attacker got your Facebook password. There's always the possibility that they really got into your email, and used that to snag your Facebook page. Because access to your email is so dangerous, it's good to update the password whenever you see any sign of being hacked elsewhere.
Yes that's true so definitely don't use the same password on multiple sites. A good password manager seems to be the best solution. Every user should have different salt. It's just a random string that can be stored in their user record. That defeats searching for matching hashes. True.
You don't even need that: just including the username in the hash with the site-wide salt+password will prevent a simple dictionary attack. A salt doesn't need to be complex or hard to guess (it is assumed the attacker has it,) just unique, and the userID is already unique.
I had a password that was over 25 characters long with capitals, lower case, numbers, and symbols, AND had 2 factor authentication turned on. Someone still managed to get into my email account, filter out emails from Amazon, get into my Amazon account and make a large purchase while they email spam bombed me. I knew something was up with the thousands of emails I got in like 2 hours, but it took me a couple days to figure out what it was. I have checked all my machines for keyloggers but found nothing, and cannot figure out how they did my 2 factor authentication(it IS text message based). This is the only time I've ever really been taken with the exception of my WoW account being snagged back in the day by gold sellers. But I think that was just a weak password Side Note: Luckily Amazon caught it as fraudulent on their end and stopped shipment. They stopped shipment but wouldn't refund. Said I had to file with my bank for them to investigate and refund it. I thought it was odd that Amazon was able to instantly flag it as fraud, and stop shipment but refunding was out of their control. Had my bank not refunded the purchase, it's not Amazon would have sent me whatever the package was.
