Nobody knows what a good password looks like
Many courses/information sources that are supposed to give advice to the "non-techy" people, miss a lot of the important detail about passwords. Many of the "solutions" to keeping online accounts safe contradict either well known psychological principles or are simply bad advice (and many of them come from sources that are considered credible by the general public).
The obvious problems with passwords:
- Strong passwords are hard to remember
- Passwords that are easy to remember are weak
- You need to remember many passwords
- Passwords can be stolen
The solution is to use a (good) password manager.
Supposed Solutions: (WARNING: ALL OF THESE SOLUTIONS ARE BAD)
1) Let your browser store your password for you: browser stores passwords in as good as plaintext.
If your browser says that all of your passwords are "encrypted" it actually means that the browser did encrypt the passwords, but saved the encryption key in the same file.
Your browser locks all your important passwords in the drawer, but leaves the keys on the table.
A malware won't have much problem getting your passwords, besides, the malware will probably be aiming for your cookies (a common Youtube hijacking method that works on other websites (eg. discord account stealing)).
2) Write all your passwords down on paper: your notebook might get stolen, and you will die trying to type long complex passwords.
3) Use an online password manager such as LastPass.
You can't necessarily trust tech companies to keep your passwords secure. Although something like google passwords might be trustworthy enough to store passwords with your gmail account, any company might get hacked, you don't really know what that company does with your passwords.
You can't necessarily trust tech companies to keep your passwords secure. Although something like google passwords might be trustworthy enough to store passwords with your gmail account, any company might get hacked, you don't really know what that company does with your passwords.
4) MFA (Multi Factor Authentication)
Needs you to enter a code eg. sent to your phone, and is an actually good way to keep your password safe.
This however might lock you out of your account if you don't have the second device, and often the second factor is on the same device you are on (eg. when logging in from a phone) which doesn't necessarily add security.
5) Using template passwords
One "influential individual" recommended a way to stay safe on the internet: use template passwords, it works like this: create and memorize one very safe password eg:
^&Ircad&^1492* (Your favorite symbols + "Its Raining Cats And Dogs" + Date Columbus reached America)
and then add the name of the website to the end of it:
^&Ircad&^1492*Instagram
^&Ircad&^1492*Google
^&Ircad&^1492*Reddit
In the eyes of said "influential individual", this probably fulfilled the requirements of "use long different passwords for different websites" but anybody who sees this password once in plaintext, will instantly know all your passwords to your other websites. And if some website you use a password like that on leaks this password (or is if it is run by criminals who are trying to steal your passwords) you can consider your passwords equivalent to 123456.
6) Change your password at regular intervals
There are websites that force you to change your password, if your password was leaked, then it is indeed worth doing. But if it is the "monthly password change," then the developers are a bit uneducated about design and human behavior. People are more likely to use simpler passwords if they know they will have to constantly change them. In those cases, either try to not use that service/website, or change the password the same password if possible.
Actually Good Solutions
The universally best solution is to use an open-source password manager, and let it generate random passwords for you. They will have browser extensions for the autofilling and support on many platforms.
There are multiple. "Just use KeePass"
I should also mention stateless password managers. (WARNING: They are considered bad):
LessPass and Specter they generate a password using the website name, your login name, and a master password. They have lots of development around them but they are considered inferior:
If the master-password of a traditional password manager gets stolen, the hacker will also have to get the files where your passwords are stored, and you can quickly swap the master-password in your password manager sending the hacker back to square one.
If the hacker steal the master-password of a stateless password manger, then he will have instant access to all password on all websites. And you will have to change hundreds of passwords on hundreds of websites to stay safe.
There are also other password managers some from well known cyber security companies or big-tech, a few of which are heavily advertised on YouTube eg. Dashlane, as well as other password managers from VPN service providers. You should ignore those ads, most of what those VPNs are adverting to provide in terms of security, either doesn't matter, doesn't actually work, is spyware, or has a free and much better approach if your are willing to invest into it.
- Very credible cyber security expert