(last updated Nov 2022)
The short version:
- Use a password manager, built-in or separate app.
- Use a different, randomly generated password for each site/app, stored in your password manager. Use combination of 12 letters & digits.
- For finance, email, & social, set up "two-factor" authentication.
- Pay attention when entering your password — don't get tricked.
The longer version
The good news is that unless you're especially notable (politician, corp executive, celebrity) it's unlikely that attackers will target you specifically.
What you do need to be concerned about is:
- Attackers trying to trick lots of people (including you) into typing your password where the attacker can capture your password
- Attackers trying to bulk-crack lots of accounts on some site, and you just happen to have an account on that site.
Pay attention, to avoid getting tricked
Later I'll have advice on how to use "strong" passwords. But if you are tricked into giving your password to an attacker, it doesn't matter how strong you password is.
Every time you're about to enter a password (using your password manager, see later) pause for half a second to consider how likely that you are about to be tricked. Attackers try to setup "fake sites" and then try to trick lots of users, including you, into typing their password on the "fake site".
Be especially cautious if you clicked something that takes you to a page or screen asking for your password. When in doubt, close, then "manually" go to the site/app before entering your password.
Use a strong password
In addition to trying to trick people, attackers sometimes get a list of usernames on a site, which might include yours. Attackers then try common passwords, and sometimes try a "brute force" approach. As of 2022, an attacker can try every combination of 8 lowercase letters in only a few seconds. Using some uppercase & digits takes several minutes to try all combinations. In practice an attacker working on 100's of thousands or millions of accounts won't be able to spend several minutes per account.
With a password manager it's easy to use randomly generated combination of 12 letters & numbers. Even an attacker targeting you personally would take 20+ years to try every combination.
Use a different password on every site/app
Once an attacker has your password for one site, they will try the same user+pass combination on other sites. So you should always have different passwords on every site. Never use the same password on different sites/apps.
Use a password manager (your memory is not good enough)
There's no way you can remember a different random 12 char password on every site. The solution is to use a password manager.
Browsers now offer to generate and save passwords, which is an easy option. But that doesn't help with apps that also need passwords. Phones can now offer to save passwords, but what about if you also use a computer or laptop?
A separate password manager app gives you maximum flexibility, but not quite as seamless.
I've been using Password Safe for almost 20 years. There's a version for Windows, Android, & iPhone. I save using Google Drive, so I can access across multiple devices. You can also save via DropBox, iCloud, OneDrive, and other popular services.
There are other password managers out there, and any of them are better than not having one. If you don't have a password manager, your passwords will not be random, because you can't remember all those random passwords.
"Two factor" authentication
For especially critical sites like finance/banking, email, and your main social media, using "two factor" authentication is strongly recommended. This makes it even harder for an attacker to trick you (but not impossible).
The most common "two factor" is after entering your password, the site sends a one-time 6 digit code to your phone. Or the site might send an email.
A little more complicated, but more secure than txt & email, is to have an "authenticator" app on your phone. You do a one-time registration, and then you use the code shown in the authenticator app, rather than receiving a text or email with the code. Sometimes the app will show a popup.
If using an authenticator app sounds too complicated, use the text or email option. For finance, email, or social media, any two-factor is better than none.
If you're more paranoid, here are some advanced tips:
For password reset questions, use random answers, stored in your password manager.
When using two-factor, prefer an authenticator app, rather than two-factor based on txt or email.
Worried about "quantum computers" that might make cracking passwords a lot easier? Consensus is that quantum computers might slightly speed up password attacks, but not that dramatically.