Um no. Sure, when plaintext passwords get leaked, that’s bad enough. Personally, storing plaintext passwords without informing the user that it’s stored unencrypted should be made illegal.
It generally it’s bad passwords that get brute forced easily.
Also: Whenever you QUIT a site: Before you delete your account, change your password to an insane long mess of digits and numbers. You don’t need to ever remember it, and they probably won’t really delete your account info. When that site gets hacked and your password revealed, it can’t match any other site’s credentials.
I know you’re mucking about but a diceware password is still good advice, it just has to be more than four words and be randomly chosen using a… dice! Having one for your password manager is ideal.
I’ve been telling people about diceware passwords for years so it was satisfying to see ProtonMail have rolled them out for their recovery phrases, i just wish they let you choose your own.
If you are able to install and set up Syncthing, you can use your own devices instead of a cloud service.
You can of course use an NAS. My router, e.g., has a built-in storage which can act as an NAS. The amount of data to keep a PW database in sync is really not that large, so even that the build-in flash memory is enough. Also, it has a build-in VPN I can use to remotely connect to my home network. Not that I have set this up, I usually have no need for that since I return home on a regular basis, so I sync locally when being on the same specified WiFi…
My biggest headache with the “previous passwords” one is when I try the password I think it is, get denied, reset, attempt to set it to the password I wanted… and get told it’s a previous password.
Now, I am glad to say my current password method seems to be effective enough to keep out whoever keeps trying to access my (largely dormant) Microsoft account (they actually have a log of failed login attempts)
Password fatigue is real. I dread when my network prompts for a password 12 hrs before my IT dept, and I have 2 passwords to change IMMEDIATELY, but for some reason, one password is accepted, the other network doesn’t like the same rules, then it all goes out of sync. Only had to password reset three times recently…
I use a manager, AND subscribe to https://haveibeenpwned.com/
I’ve reset most recycled passwords, and choose random characters 12-20 characters long, if possible. So far I have mostly remained safe…but who knows how close things have come…
If only I could share this with all the institutions that won’t allow symbols in passwords…
I never trust an institution that doesn’t allow symbols. It just means that their programmers don’t know how to sanitize strings, which should be basic knowledge.
Gotta say I’d go with a different color coding, millions of years doesn’t seem like “yellow-caution” to me unless they’re assuming some kind of quantum computing advance where that will become days in the near future. Setec astronomy.
I have a base password that is a long, random word plus a series of numbers (and no, it is not 13927 from my handle) and then I use a prefix that is specific to the site or service that the password is tied to (but is not simply the name of the site or service). I hate services and sites that make me change my password periodically because it screws with my system.
At the risk of starting Brand Wars: I’ve used this one for years. It can run as a stand-alone app on a USB stick, which is nice for people who don’t trust a cloud-based service or want to pay subscription fees.
And use two factor authentication anywhere it’s available so even if your password gets hacked you still have a good safety buffer.
CarlosDanger69-.-4Ever!!!
I use this and will admit I always read the name as keep (my) ass out of trouble
I’ve heard that “security is hard.” Sure, open source password managers might be more secure than some for-profit password manager sites that wrap their own encryption and also count on security through obscurity, but I wouldn’t be surprised if organizations have any number of zero day exploits for both free and for profit services.
So I’m probably doing it wrong, counting on a long random password for an open source password manager, but leaving that database on a cloud service with a low security, easy to remember password, just in case I lose all my electronics that have a copy.
If that password manager database’s security is cracked, the actors who did it would have years of passwords and random security question answers. Arguably, this is where changing all the passwords makes sense for the truly paranoid: change the password manager’s password whenever there is an update, and change the passwords and security Q answers. That way, if the bad actors had your database before the zero day possibly got fixed, then they’d just have outdated info.
But no, I’m not that paranoid. I’m just aware that’s a risk of any electronic password manager.
Or this
– Choose a password!
– “Paßwort”
– Only letters and numbers are allowed!
Well, a lot of those institutions are in the financial sector, so lack of trust is a given. Folks would like to believe those with deep pockets put more money into security, but nope. 
Maybe they expect insurance to bail them out when bad things happen…or they got sidetracked dealing with ransomware issues. 
My password is a single word followed by an identifying few letters followed by a single number that have to do with the website or institution I’m logging onto. The base word never changes.
I started using a standard method after my way too close call with death. I needed my wife and daughter to be able to access stuff should something happen.
They both have access to my email and phone so worse case they reset the passwords they may need.
I used to maintain a physical old fashioned typed up piece of paper but with websites forcing password changes so often I went with a system they should be able to figure out.
Recently I’ve had to clear out some passwords for people on their Windows 10 computers. MIcrosoft makes you believe you need a Microsoft account to set up the computer and if you forget the password there is no easy way for the average user to solve the problem.
For the average computer person it’s a piece of cake. People get a false sense of security so easily. And, why do people put a password on a computer in their home that no else has access to?
