Fri Nov 12, 2021 12:39 pm
#1882191
avtur3 wrote:I will admit that I don't have individual passwords for every online account that I use...
You should fix this first, because it's the biggest hole in your online security by far.
Sites get hacked every so often. Lists of personally identifying information (names, emails, usernames) together with the passwords of accounts from those hacked sites get published. Then attackers try those usernames and passwords and various variations on other sites, exactly because so many people use the same passwords (or with minor variations) on multiple sites. The attackers don't target individuals specifically. They hit the lists en-masse and exploit any that get in.
You can try https://haveibeenpwned.com/ to search these lists to see if your details are there. But even if they're not, they eventually will be, because major sites continue to get hacked on a regular basis.
You might think that since you only use that same password on a few "low value" sites a hack there won't get an attacker into some "high value" site. But that's where the password reset stuff comes in. It's really hard to follow who will require what to get them to reset someone's "forgotten password". It's been demonstrated that if an attacker has access to one account, they can expand that to access to other accounts in surprising ways. For example: https://www.infosecurity-magazine.com/n ... the-world/
Because of this, it's considered much safer to use a password manager that stores all your passwords, one for each site. These can to some extent be protected by two factor authentication. If you're really worried, buy a hardware FIDO2 USB token like a Yubikey and lock your password manager with that. But even without that, you're safer with a password manager with all your passwords "in one basket" than you are sharing passwords between sites.