Note, change your password if you haven’t after the breach, and if you re-use the same password at multiple sites.
Use a password manager.
On all your devices.
BitWarden, Lastpass, 1password, Dashlane, etc.
Use a different random long password on every site! That is why you need a password manager. Plus, they’re good at generating them too.
That way if the website/company gets hacked, you limit your risk to just that one company/website.
Turn on 2-factor authentication (e.g. a SMS 1-time code) for your email account. Have a backup email account for recovery/security notices. If the bad guys take over your email, they use it to approve password resets to take over your other accounts - like your bank accounts.
@mike808 Thanks for the information about ways to protect yourself. I’d worry though that if the password management company gets hacked then you’d perhaps have problems too. I have a spreadsheet with all my passwords on it. Setting it up was a pain (was shocked to see just how many accounts I have) but that is easy to maintain.
@Kidsandliz Bitwarden and Lastpass both never have a copy of your password, only your encrypted database. The passwords are decrypted in the browser by the browser extension.
I’m pretty sure Dashlane and 1Password do the same thing.
That’s why they will be very clear about if you forget your master password, they cannot help you because they don’t know what it is. How they all work is that your password gets mathematically mangled (called a one-way function) into the encryption key that encrypts your password database. So the only way to end up with your encryption key is to start with your master password. And all of that happens inside your browser - it is never sent to the company.
What happens when you “log in” is that the latest copy of your encrypted password database gets downloaded to your browser and then your browser decrypts the entry you are using with the key that only it has.
Other password managers like KeePass have no ability to run in a browser, and they have no online/shared access. You have to run them as a separate program and you store your password database yourself (encrypted with a passwird like the others, just not in the browser). Or even on a separate computer that cannot be connected to the internet and is just for that purpose - like a RasPi or an offline Linux host.
Backing up your password database is an entirely separate thing, and more work and careful planning is needed for your situation (everyone is different).
@Kidsandliz There is a rabbit hole of hypothetical things to worry about. There is no one-size fits all all-in-one answer to the exact things you are worried about, or tailored to the work you are willing to do to protect the things that are important to you from the risks you think you have.
My point is everyone’s level of preparation for disaster and recovery is different based on their level of risk they’re willing to accept or deal with. Backup/recovery (such as if you die unexpectedly) is essentially self-made DIY insurance. It is as good as you are willing and able to make it.
Just like having unlimited clean drinking water isn’t a problem in most places, but is if you live in the desert (or parts of California). The solutions there are inappropriate where potable water is abundant. Just like hurricane protection is not needed where there are tornado risks.
Or electricity that is just always there to use, except if you live in Puerto Rico. Which still doesn’t have its power grid fully restored! Their “insurance” - being a part of the U.S. - turns out to have been a rip-off by their fellow Americans - all of us.
@Kidsandliz@mike808 what about the iCloud Keychain? It keeps all my passwords across all my devices. Is it safe or should I get a different password manager? If I do that, I’d have change everything since Keychain makes complicated passwords for me that I don’t have to remember.
@Gypsigirl213@Kidsandliz If Apple keychain works for you, then fine. The important thing is that you’re using a password manager and that you’re using it to create passwords so that you don’t re-use passwords for more wthan one site.
I’m more confident in Apple getting security right than even LastPass. But for folks that don’t live in in an exclusively Apple world (like families that have Windows PCs and Chromebooks and Android phones, Keychain isn’t an option.
I don’t have or use any Apple walled garden devices so I don’t have any experience with Keychain.
@Kidsandliz@mike808 Cool, thanks. Wasn’t sure if keychain was safe since it wasn’t mentioned, but now I know why. Also, I’m relieved that I’ve been accidentally doing the right thing to protect myself re passwords. I’ve only been doing the generated passwords because Apple has made it so easy and intuitive.