Hello,

Indeed. And, the worse, is that lot of sites were storing passwords in plain text, and some are still doing it !

This is why, since "always", I 've been creating a different email account and password, for each site I was registering. This s a pain, but I was born paranoiac.

I do the same JorgeV, but for some of the older sites, I used email accounts that weren't used for anything other than research, and the passwords might have been a bit weak (not really weak [webmasterworld.com]), compared to today.

I keep an ODS file with all my logins since 2015, but I haven't logged into many of those sites in years. I know some of those have been hacked over the years; I had to quickly change some a few years ago to avoid bad consequences.

I really used to sign up on any site that tickled my interest when I was younger. Now I waaay pickier.

Years ago, someone hereabouts brilliantly suggested creating a separate email for every site that requires one. That’s easy to do if you control a domain and can make infinite numbers of emails, rather than the 5 or 8 or whatever an ordinary ISP limits you to. Then, if you start getting spam addressed to businessname@example.com, you know whose database has been sold or hacked, and can take action without affecting anything else.

I keep an ODS file with all my logins since 2015

I assume password protected. hehehe
Also, I hope you keep a backup copy offsite.

I really used to sign up on any site that tickled my interest when I was younger. Now I waaay pickier.

That was definitely me, too, and i'm now way more cautious.

There is a shift to phone apps, and that's something I watch very closely. Any app that asks for more than they need won't get installed. If you think about it, an app could, potentially, get access to your details, and anything on your phone if you give it all the permissions.

Years ago, someone hereabouts brilliantly suggested creating a separate email for every site that requires one.

That's what I have done for many years. It also reduces the chance of bad actors being able to do something with the re-used e-mail on other accounts.

From 1996 to 2000, I had a password for my email, a password (briefly) for the Electronic Telegraph and a password for Midland Mainline... I'm not sure if I even had any other passwords.

Around 2001 to 2004, I found ever increasing numbers of services required passwords. I came up with a system where I used a combination of children's rhymes to ensure that I had a different email / password combination for each service (though I reused passwords often, just with different emails).

Around 2009-10 things became difficult because I'd exhausted the available combinations (half a decade before I'd have been sceptical that I'd ever need so many passwords) and started to make micro-changes to various passwords. Frustratingly, though, I often forgot which micro-changes I'd made where and this resulted in often having to reset the password, but - this is what I found infuriating - the act of resetting the password made it no easier to remember next time, because I had no chance to get into a routine of using the same password repetitively with the same site.

Cue 6 years of head-banging and frustration and constantly resetting passwords and never remembering them.

The zen moment in 2016 was realising that I didn't need to oblige myself to have one unique, unchanging password per website as I had a decade before. Not only was it perfectly acceptable to regularly forget and reset a password when I only logged into a site every six months or so... it was definitely more secure as well.

So I got into the habit of treating resetting my password as an integrated part of logging in after a six month gap... and this mental shift made things far less frustrating - it was just an extra 20 second step to follow. No more head-banging. I still had to think up unique, secure passwords each time though.

The second zen moment in 2018 was when I realised that if I was going to reset my password every time I forgot it and my browser forgot it (in-browser password storage now being standard) that I didn't even need to think up a unique, secure password. Because I didn't even need to know my own password.

Not needing to know my own password was the great revelation.

So now, whenever I'm required to add a password, I just:

1) mash the keyboard
2) turn the caps-lock on and mash the keyboard
3) mash the number-pad
4) randomly insert a few symbols

This gives me passwords of the following type:

kskjrh"glwsjfdpfoD{PORREIQODCM>Z48038284%£74372$497

which means that any service I use regularly no longer has a password similar to that of any other services I use - and certainly bears no resemblance to those from site log-ins I no longer use.

You can generate true random passwords. Two examples you can run from a *nix command line:

Twelve characters long and with easy to type characters on a UK keyboard:

cat /dev/urandom | tr -dc '0-9a-zA-Z\-_!"£$%^&*()+=/?<>@~#:;,.[]' | head -c 12

Three to four random words. Still a huge number of possible combinations as per XKCD: [xkcd.com...]

cat /usr/share/dict/words | grep -v "['A-Z]" | shuf -n (shuf -i 3-4 -n 1) --random-source=/dev/random | tr -d '\n'

Both above are one liners, but WW wraps them

cat /dev/urandom

This made me laugh heartily, because I was all set to observe in reply to Ronin's post that, hey, I can just let my cat make my passwords. I know he wants to.

Unfortunately some sites insist on entering the password twice, so the cat method won’t work. Fortunately not all of them are clever enough to block copy-and-paste for this step.