PSA - Account Security - It's a thing - You should look at this thing.

[Avatre]

Also, I heard that the iPhone is more secure than the android for phone security, do you have an opinion that? You don't have to respond to that last one if it's too hot-button. (I use an iPhone, because I heard security was great).

I've had no issues with my Android phone regarding passwords. Though, I don't store any(it does have the ability to save your passwords for various apps so you just open it and it logs you in automatically) so I'm always typing them in myself. I've always had an Android phone(going on 11-ish years or so - basically since smartphones became more common) because I prefer the OS to the iPhone OS.

[silverlunarfox]

a OTP is good to have... until the day that you have to hand in your phone at the end of its 18-month lease. Then you HAVE to deactivate all 2-factor for any and all apps that use it on your phone. Once you have a new one, you gotta reset all your 2-factors. I got this coming up in September and my options are: do what I said (deactivate Steam's 2 factor, SE's, uplay's) and risk compromisation OR pay $216 to own the phone. security token apps are only good if you have a smartphone too or want to spend more on them every few years. While it's possible to crack my account, I have proof of ownership to get it back.

This is the only reason i dont use blizzards or squares otp. So they get special passwords.

And in the end even if someone junks my account, it'll just give me something to do again...

[KisaiTenshi]

Off chance, would you have a recommendation for a good cloud password system?

Also, I heard that the iPhone is more secure than the android for phone security, do you have an opinion that? You don't have to respond to that last one if it's too hot-button. (I use an iPhone, because I heard security was great).

I wouldn't recommend anything for cloud password management. If you save any passwords, at all, don't save your bank passwords and email that you reset those with in your device.

Apple's iCloud keychain password management works fine, as long as you're only using your iPhone/Mac to access those sites. Apple discontinued Safari for Windows, so there's no way to use it on Windows presently. I don't use any, rather I use a password mnemonic similar to the XKCD comic suggestion and pad the length.

[RubenSnizzle]

The only place i ever used 2steps was for fortnite, kept getting emails that my account was getting blocked due to invalid passwords attempt, which funnily, happened right after i logged on epics website to look at the fortnites forums.

Outside of that, i never had any problem. Because i don't go to *cough**gilbuyer*cough* website. Not to forget using same id/password on other shady websites leaves you at risk, not having malware protection or virus protection is also an issue.

[Sigma-Astra]

Don't bother with making an overly complex password, just make something you can remember unique to this game.

You and Mhaeric are both correct that four random words is a good strategy for a password, but it's also suggested that you should still use uppercase, lowercase, numbers, and/or symbols with the four random words.

My fiance works in the IT field specifically, these are things that he himself suggested to me from his knowledge in the field that he's been working in for at least 10 years. I've heard horror stories of passwords he'd find for a business server that hosts all of their emails when he was called in to fix a problem with it, and their server password was "12345". I think he facepalmed so hard and immediately corrected them because that's a huge security problem for a business. xD

[Tridus]

a OTP is good to have... until the day that you have to hand in your phone at the end of its 18-month lease. Then you HAVE to deactivate all 2-factor for any and all apps that use it on your phone. Once you have a new one, you gotta reset all your 2-factors. I got this coming up in September and my options are: do what I said (deactivate Steam's 2 factor, SE's, uplay's) and risk compromisation OR pay $216 to own the phone. security token apps are only good if you have a smartphone too or want to spend more on them every few years. While it's possible to crack my account, I have proof of ownership to get it back.

SE gives you an emergency removal code and tells you to record it. Y ou should do that, then you can remove the token no problem.

[Tridus]

The biggest problem with passwords (as a professional software developer) is NOT bad passwords, although those are a problem. The biggest problem is password reuse. It doesn't matter how good your password it is if you use it for both FFXIV and RandomForum.com, which got hacked last week. People use the same password for everything because humans are bad at remembering passwords and which passwords go with which sites, and that means if one site with your password on it gets hacked, ALL of your accounts are exposed.

To that end, use a password manager. It'll create randomized passwords for every site and track them for you, so you don't have to. With every site having a unique password, a compromise on A doesn't expose you on B,C,D,E,F, and G.

Off chance, would you have a recommendation for a good cloud password system?

LastPass. It'll autofill passwords, generate secure passwords, works with password or biometric security on phones (which is less secure but really, really convenient), and will sync between devices. The vault itself is AES encrypted and pretty hard to crack. You do take a risk of that happening, but that's a lesser risk IMO than the one of password reuse, which we know is a major source of account breaches today.

If you don't like the cloud part of LastPass, KeePass is a high security option. It's also harder to use, and I don't recommend it outside of IT or other high opsec environments because if it's hard to use, home users won't use it at all. LastPass is easy, especially with fingerprint auth (which again, is less secure but can be worth the tradeoff in convenience if it means you'll actually use the tool).

Also, I heard that the iPhone is more secure than the android for phone security, do you have an opinion that? You don't have to respond to that last one if it's too hot-button. (I use an iPhone, because I heard security was great).

Technically that's somewhat true, but for this it doesn't matter. That's related to your phone being broken into by the FBI. Android phones are plenty secure for a typical user. In terms of your FFXIV account, the weak link is not the OS level security on your phone. It's password reuse, bad passwords, shared computers with malware on them, and not using two factor authentication (the one time codes). You likely don't have a need to defend against state actors or the ability to do so anyway, so just use the protections available to you. Oh, and don't use a pirate app store to download stuff onto your phone. Very hard to tell which ones are malware loaded and which ones aren't.

You and Mhaeric are both correct that four random words is a good strategy for a password, but it's also suggested that you should still use uppercase, lowercase, numbers, and/or symbols with the four random words.

My fiance works in the IT field specifically, these are things that he himself suggested to me from his knowledge in the field that he's been working in for at least 10 years. I've heard horror stories of passwords he'd find for a business server that hosts all of their emails when he was called in to fix a problem with it, and their server password was "12345". I think he facepalmed so hard and immediately corrected them because that's a huge security problem for a business. xD

This is true. While XKCD had a good point, the ability of modern password cracker engines to find a password that is known to be dictionary word letters only is light years ahead of where it was in the past. They can crack those passwords easily because you've massively shrunk the possible pool to test.

They are far, far better than "12345" or "password1!". They are not as good as 8LLikQ6*$j*b, which is one that LastPass just generated for me. That's got no sane pattern to it at all that a cracker engine can use to narrow the search space.

[Avatre]

SE gives you an emergency removal code and tells you to record it. Y ou should do that, then you can remove the token no problem.

Or take a screenshot of it and email it to yourself/print it out to keep near your computer.

[JackHatchet]

I always wondered how fun it would be for like a rival companies to dick around with account info. Say for example someone registers to Warcraft with <Accountname1> and <password1>. And then the admins at Blizzard decide to try that log in on Square-Enix or other random websites just to see how many folks reuse the same password.

-----

Ever since I got lastpass a few years ago I've been using completely different passwords for everything. I'm utterly in love with LastPass.

-----

I remember registering my Blizzard authentication to one of my really old phones (I'm thinking iPhone 4?), and then trashing it and never really recovering it. But was able to reset the authenticator from the website because it was registered to my phone number and not actually my specific phone. I don't remember all the details other than it was stupidly easy to solve. And I was good to go without any issues.

[Mhaeric]

I always wondered how fun it would be for like a rival companies to dick around with account info. Say for example someone registers to Warcraft with <Accountname1> and <password1>. And then the admins at Blizzard decide to try that log in on Square-Enix or other random websites just to see how many folks reuse the same password.

I'm pretty sure that nobody actually has the ability to see the password, even within the company providing the service. I don't even think the highest levels of tech support would have the ability to view it. They'd probably be able to view an encrypted form of it, but that alone would be useless.