Use the “passwords” feature to check if one of yours is compromised. If it shows up, never ever reuse those credentials. They’ll be baked into thousands of botnets etc. and be forevermore part of automated break-in attempts until one randomly succeeds.
Protip for the room: Use a password manager with a unique password for every service. Then when one leaks, it only affects that singular service, not large swaths of your digital life.
And an email alias.
I hate how many places don’t allow for + aliases. I want to know who leaked my email.
At the same time, it is trivially easy to strip a + alias, so I’d not trust it to do anything much at all.
If you use aliases for all services, it makes it slightly harder to automate trying one leaked email on another site, since the hacker needs to add the new alias on the other service.
No one is going through of all these credentials manually, so any extra obscurity can actually bring you security in a pinch. Although if you have different passwords this shouldn’t matter much…
No, you just run a simple Regex on both combolists and are done. It literally takes seconds
No + required. There are hundreds of companies offering aliases using their shared domain. You can also just generate a temporary email address if you don’t require any ongoing communication and the account is not super important.
Even if your alias is leaked they can remove the + part and it’ll lead to your original email without aliases. They probably do some data formatting on emails to no get caught so easily and obviously.
+aliases are convenience aliases only. They are often stripped from ID datasets. Better to use a real alias.I use a “password pattern”, rather than remembering all the passwords, I just remember a rule I have for how passwords are done, there are some numbers and letters that change depending on what the service is so every password is unique and I can easily remember all of them as long as I remember the rules I put in place
So when someone figures out your rule he has all the passwords
That is assuming that someone will sit there and try to decrypt password rules for that specific person. Chances of that happening are basically 0, unless they are some sort of a high interest person.
Also, length is most of what matters. A full length sentence in lowercase with easy to type finger/key flow for pw manager master, and don’t know a single other password. Can someone correct me if I’m wrong?
You are mostly correct it is length * (possible char values).
See passphrase generator.
https://www.keepersecurity.com/features/passphrase-generator
Correct horse battery staple
And when that password manager gets cracked?
Got any examples? Because I have…some…examples of password reuse being a real-life problem.
LastPass recently, check Addie Lamarr’s channel on YouTube.
LastPass is the maximum shit. They got hacked like 3 times in a year and my company‘s password notes got leaked.
We are now with Bitwarden and this was the biggest security hardening measure we have taken.
Don’t forget unique email addresses. I’ve had two spam emails in the last 6 months, I could trace them to exactly which company I gave that email address to (one data breach, one I’m pretty sure was the company selling my data). I can block those addresses and move on with my life.
My old email address from before I started doing this still receives 10+ spam emails a day.
I’ve started using {emailaddress}+{sitename}@gmail.com i.e. myemail+xyzCompany@gmail.com
That way I can at least see who sold my info. I wish I would have started doing this long ago though. Some sites dont let you use the plus symbol even though it’s valid though
This trick is common enough and trivial to reverse engineer. I can just purge my billion-email-address hacked list of all characters between a + and an @ and have a clean list that untraceable with your system.