Use the “passwords” feature to check if one of yours is compromised. If it shows up, never ever reuse those credentials. They’ll be baked into thousands of botnets etc. and be forevermore part of automated break-in attempts until one randomly succeeds.
Also, length is most of what matters. A full length sentence in lowercase with easy to type finger/key flow for pw manager master, and don’t know a single other password. Can someone correct me if I’m wrong?
As always, the most secure password is the least convenient and accessible. It’s a trade off, but you want fewer dictionary words and patterns overall. Preferably with a physical component for the master password.
Longer is better…giggitty.
You are mostly correct it is length * (possible char values).
See passphrase generator.
https://www.keepersecurity.com/features/passphrase-generator
I’ve found that there are a handful of passwords that you need to remember, the rest can go in the password manager. This includes the password for the password manager, of course, but also passwords for your computer/phone (since you need to log in before you can access the password manager), and your email (to be able to recover your password for the password manager).
You are also correct that length is mostly what matters, but also throwing in a random capitalization, a number or two, and some special character will greatly increase the required search space. Also using uncommon words, or words in other languages than english can also greatly increase the resistance to dictionary attacks.
If your password manager has a password recovery mechanism, that means your key is stored on the server and would be compromised in a breach. If that’s the case, I highly recommend changing password managers.
The ideal way a password manager works is by having all encryption done client-side and never sending the password to the server. If the server cannot decrypt your password data, neither can an attacker. That’s how my password manager works (Bitwarden), and I highly recommend restricting your options only to password managers with that property.
If you need a backup, write it in a notebook and keep it in a safe. If your house gets broken into, change your password immediately before the thief has a chance to rifle through the stuff they stole. My SO and I have shared passwords to all important credentials, so that’s out backup mechanism.
Okay, but hackers don’t have to know whether I used special character or just lowercase? Or am I stoopid?