Computer Help and Support

The Yahoo hack years ago (which one, right?) spurred me on to use two-factor authentication (2FA) for personal accounts. Short of 2FA, your best bet is a long passphrase. The use of multiple character classes in passphrases is good but not as necessary for sufficiently long passwords ... I'm guessing somewhere over 10-12 characters long. There are web sites discussing the crossover point. The use of a unique passphrase for each online account is best. Make use of secure (https) connections where possible. Changing your passwords regularly, while annoying, does help; in the event that archived user account data is hacked or stolen, you don't want those passwords to be valid. That's another reason for unique passphrases across all your accounts.

There are things on a provider's end that we cannot control. Some have a maximum passphrase length like 8 characters, and then there's the 4-digit PIN like those used on bank ATM accounts and smartphones. That's weak regardless of mixing lower case, capitals, numbers, and punctuation. There's also the issue of how passphrases are stored. Clear text is obviously bad; hashes are appropriate. If hashes are used, then the hashing algorithm ought to be sufficiently advanced. Fortunately, many web sites deactivate your account after too many failed attempts, forcing you to reset using email and/or security questions. That's another reason to have 2FA.