The website https://haveibeenpwned.com lists nearly 2 billion breached accounts from 168 websites. These are breaches that have been released publicly, meaning that they're probably only a small fraction of total breached accounts in existence. In reality, breaches that have not been made known publicly, or haven't even been discovered likely comprise at least as many as are known. With this in mind, the only safe mindset to use today is to assume that your username and password have been compromised, and to implement good password hygiene to limit the damage that can be done.
A good password:
- is long
- is not shared between different services
- contains a mixture of upper and lowercase letters, numbers, and symbols
- is not a dictionary word
- has no personal meaning to the user (i.e. 'F1@c0' is a bad password, because it refers to my dog's name)
- doesn't follow a recognizable pattern (i.e. Cuenca2015 is bad, because I might try Cuenca2014 or Cuenca2016 on other sites).
Lastpass helps us accomplish the goals here. Lastpass is a program akin to saved passwords in Chrome, or the piece of paper on which you record all of your usernames and passwords. However, unlike both of those, Lastpass is more secure. Lastpass helps you generate completely random passwords for each and every site- that way, if your Paypal password is leaked, that same password won't work on your bank account. Lastpass is also more securable in that you can have it log out after a certain period of time, forcing a master password re-entry before logins are made available again.
I encourage you to look through https://lastpass.com/how-it-works/ to see how the program works. Also, they've recently made mobile use free, so I encourage you to install Lastpass on your phones as well as computers.
Once you start down this road, you'll quickly find yourself fixing 20 years of bad password policy. This process is not going to be easy. You can expect to spend a year finding old accounts and changing old passwords to be more secure. It's important though to start with the high-risk accounts- financial and email (and Facebook), so that if your Linkedin account is breached, it won't affect your bank accounts.
I expect my clients to have issues getting this started, but once you wrap your head around the way Lastpass works, I think you'll rest a little easier knowing that your accounts are safer.
If you are in need of a security refresher, feel free to contact me at firstname.lastname@example.org or message 419-210-3631 (US) or 099-033-0345 (EC, Whatsapp).