While browsing through my usual daily news, I found a great deal of places that captured my attention even more, in regards to security of the passwords and general security of internet accounts.

Bottom line...

How can you check?

It's usually a time consuming task, but there are some good places to check for news once you start "digging". Bellow I am sharing a good "simple" one, where you can actually download the exposed passwords files.

This is the page for the passwords: https://haveibeenpwned.com/Passwords

You can even test passwords, although I would recommend you download the files and test it locally if you know how to do it.

Public hacks compilation

They have also compiled a great history of public known hacks. And once you go through this list, you will be staggered about how easy you can get hacked! I mean, places like LinkedIn, DropBox, BitcoinTalk, among hundreds of others... It's simply overwhelming!

Everyone is eventually exposed!

Been myself trough the above list and decided to change 4 websites and avoided using 7 passwords I used before! YES Crazy! Most of the accounts are not directly exposed (meaning knowing only the password, it would not be possible to hack my account), due great practices, like 2FA or other recovery options. But nevertheless it showed me how easy anyone can be hacked and exposed. Especially if you use the same password in more than 1 place!

1 PASSWORD, ONE SITE! Otherwise its called, HACK ME!

How can you improve security?

I am not going to give the recipe OK?, but take this instead as little "guidance". And feel free to do your own judgment and research. Also, this is mostly for internet facing web-services (rules of engagement change if you use other types of accounts):

• If the password is not secure (less than 32 chars), make sure you don't have any private information available for hackers and assume the account WILL be hacked.
• If you care for the privacy of your account have at least 1 additional factor type of authentication and/or recovery method.
• Don't use recovery emails on internet! (create them with a very long password, enable 2FA and only use them to recover accounts)
• If you use email as a 2FA and the website allows you to use a different email account, USE IT!
• If you use KEYS to authenticate, make sure the place you store them, is not exposed (encrypt them and/or protect them from multiple user access).
• Use password generators (you don't want to memorize passwords) and save passwords on a password manager where YOU are the owner of the "decrypted" data.
• If you use password managers (you should, but make your own research before using one), have a VERY LONG password (minimum of 32 chars) and change it at least once every year.
• When you need to memorize passwords, a good trick is to use "Sentences" that make it easy for you to memorize it.
• Remember to backup your 2FA generation keys, just in case you loose your phone.
• Make offline backups of your password managers (at least once every year or every time you can't afford to loose something).
• Use all 4 types of chars if possible (numbers, upper case, lower case and special characters).
• Have 3-way authorization system (password+2FA+SMS) if systems allow it.
• Check your emails regularly for alerts of logins and change passwords if you got notified.
• Don't save passwords on browsers - even if they aim to be secure (one day you forget about where you are login in in with your browser, and get ALL your data exposed).
• Clear cookies AND CACHED DATA once a year (or when you feel you need to be secure).
• (ADVANCED) If you need the best possible password possible and you can control the input encoding mode, use hexadecimal encoded passwords or FULL ASCII codes as characters (this will bring the hardest bruteforce difficulty and will make dictionary attacks harder or irrelevant in some cases).

What else can you do?

Embrace the many of the features, Crypto and Blockchain technology brought to society, by using "keys" that you can't easily remember and methods/technologies that enforce several levels of "permissions" within your account (like STEEM or EOS).

Although, be mindful that using crypto is not equal to "be secured". You still need to be aware that the "keys" you are using can still be used by someone else. Therefore, its essential to adopt "less lazy" practices (like I usually call it).

And if you don't need to expose, don't! Simple fact is, that something asks for POSTING KEY on a STEEM app, and you give owner password? NO! Don't do it... use the proper key for each action you need, and the same applies for other web permitionless APIs that you can configure. If you only need read access, create one API key for that purpose, do not reuse others or one that has FULL access.

Stay safe!

Crypto as in Cryptography, is not simple. But with the introduction of Blockchain, lots changed! For good, believe me. Even if the NEWS does not look like it.