The other day, I posted this on a subreddit I frequent and I thought I might as well publish it here. The context is some CRA accounts (the Canadian tax agency) being breached using password stuffing. Password reuse is a bad thing; site A gets breached and then someone has a list of our credentials that might work somewhere else. A password manager mitigates this greatly.

Without further ado, the original text, with small corrections and additions:


  1. Always use a password manager. It can be a paid one, like 1Password or LastPass, or something you keep locally, like KeepassXC and then you sync it with your devices using Dropbox, Drive or similar. I use this second option. Then create a new password for every site you register to. Use the random password generator, never type it yourself. This is one generated just now, as an example: P0QNcP~Z|iw~5Q.H/(m.

  2. Just to repeat: never reuse a password. If you use the same password on site A and site B and site A gets breached, they'll also get access to site B.

  3. Never, never, NEVER use true answers to the security questions. They're easy-ish to guess, speciall for people with social media accounts. Instead, use your password manager to store the answers and treat them as a second password. They can be easier than the main password just in case you need to spell them on the phone. Just hammer the keyboard. Example:

    What's the name of your first pet? aumg345890

  4. Activate 2FA when possible. Also, don't use SMS for that if given the option; it's better use an app on the phone like Authy, or you can also use your password manager to store these codes, most allow you to do that.

  5. Of course, if you go this way never forget the password to your password manager (edit: and make sure to make this password robust; for this you can also use sequences of words as passwords, they're easier to remember. Example here); but it's pretty much the only password you'll have to remember. If you use KeepassXC, make sure to make an offline copy of your DBs from time to time. It's some work, yes, but it's more work to have your bank / CRA account breached.


There is no comment system. If you want to tell me something about this article, you can do so via e-mail or Mastodon.