PSA - Account Security - It's a thing - You should look at this thing.

[Tridus]

The biggest problem with passwords (as a professional software developer) is NOT bad passwords, although those are a problem. The biggest problem is password reuse. It doesn't matter how good your password it is if you use it for both FFXIV and RandomForum.com, which got hacked last week. People use the same password for everything because humans are bad at remembering passwords and which passwords go with which sites, and that means if one site with your password on it gets hacked, ALL of your accounts are exposed.

To that end, use a password manager. It'll create randomized passwords for every site and track them for you, so you don't have to. With every site having a unique password, a compromise on A doesn't expose you on B,C,D,E,F, and G.

Off chance, would you have a recommendation for a good cloud password system?

LastPass. It'll autofill passwords, generate secure passwords, works with password or biometric security on phones (which is less secure but really, really convenient), and will sync between devices. The vault itself is AES encrypted and pretty hard to crack. You do take a risk of that happening, but that's a lesser risk IMO than the one of password reuse, which we know is a major source of account breaches today.

If you don't like the cloud part of LastPass, KeePass is a high security option. It's also harder to use, and I don't recommend it outside of IT or other high opsec environments because if it's hard to use, home users won't use it at all. LastPass is easy, especially with fingerprint auth (which again, is less secure but can be worth the tradeoff in convenience if it means you'll actually use the tool).

Also, I heard that the iPhone is more secure than the android for phone security, do you have an opinion that? You don't have to respond to that last one if it's too hot-button. (I use an iPhone, because I heard security was great).

Technically that's somewhat true, but for this it doesn't matter. That's related to your phone being broken into by the FBI. Android phones are plenty secure for a typical user. In terms of your FFXIV account, the weak link is not the OS level security on your phone. It's password reuse, bad passwords, shared computers with malware on them, and not using two factor authentication (the one time codes). You likely don't have a need to defend against state actors or the ability to do so anyway, so just use the protections available to you. Oh, and don't use a pirate app store to download stuff onto your phone. Very hard to tell which ones are malware loaded and which ones aren't.

You and Mhaeric are both correct that four random words is a good strategy for a password, but it's also suggested that you should still use uppercase, lowercase, numbers, and/or symbols with the four random words.

My fiance works in the IT field specifically, these are things that he himself suggested to me from his knowledge in the field that he's been working in for at least 10 years. I've heard horror stories of passwords he'd find for a business server that hosts all of their emails when he was called in to fix a problem with it, and their server password was "12345". I think he facepalmed so hard and immediately corrected them because that's a huge security problem for a business. xD

This is true. While XKCD had a good point, the ability of modern password cracker engines to find a password that is known to be dictionary word letters only is light years ahead of where it was in the past. They can crack those passwords easily because you've massively shrunk the possible pool to test.

They are far, far better than "12345" or "password1!". They are not as good as 8LLikQ6*$j*b, which is one that LastPass just generated for me. That's got no sane pattern to it at all that a cracker engine can use to narrow the search space.