FFP's Whose Employees Can See Your Passwords Master Thread.
 

I feel very uncomfortable using my regular password in FFP's whose employees can see my passwords. They usually ask for it to verify your identity. So I'm thinking of a master thread where all such FFP's can be listed.

BA
UA
SPG
HHonor
VS

Anything else?

You should generally not use the same password more than once (on accounts you really care about) - it's bad practice. I say this because - very frequently - databases are "hacked" and entire password databases stolen. In addition, to make the situation worse, sometimes these are not properly secured (or not even encrypted at all) - some are intentionally insecure. Even more frightening is the fact that such events are not always detected - and if they are they are not always reported to the public.

You are smart to be concerned about this - however I'd encourage not having a regular password for the reasons above. Having a password that is hard to crack (ie 'high-entropy') is also advisable.

How do you remember all these passwords?

Create a password-protected file, save it on a flash-drive, password protect the flash-drive. The file can contain passwords in code...let's say for BA...you can write BriAdios...naturally you know what the heck that means, but others probably won't. That's one suggestion. I guess you can do the same with a diary. :rolleyes: Or have sharp memory like me and hope you will remember them all forever :D

As long as in the end you can remember the password for the graveyard you are good to go (literally). :D

Seriously though, OP is right to use different passwords for their FF accounts and try to avoid common usernames - use FF numbers instead as they are all different.

I carry an Excel file in the encrypted memory of my BlackBerry. I use the same relatively easy password for many accounts that carry little risk if hacked into. For more important things I use more complex passwords.

Never, ever use your email password for any other purpose since it is usually a common thread to everything else. For example, if somebody hacks into a web merchant account and gets your email address, it would be very bad if that website password allowed them to log into your email account as well. Then they could do a lot of damage.

Ideally you should have a different password for every account.
Impossible to remember, of course - so now you need a password database. The danger in assembling your (different) passwords in a database is much lower than that of password re-use.

There are a number of good databases out there, from roll-you-own (Excel) to commercial and privately hosted, to web accessible. I'm a HUGE fan of LastPass ( https://lastpass.com )

The $0.00 edition is cross-platform, cross-browser, and dead simple to use. If you want access to all of your passwords on your tablet/smartphone, there's an additional one-time fee. Life got much easier for me when I started using LastPass.

I use 1password from http://www.agilebits.com/. Love it, can't imagine ever going back to not using a password manager. It lets me auto-generate secure passwords, stores the encrypted password file on dropbox so I can access it from my desktop and laptop, and has browser plugins. I just have to remember one master password.

It also lets you store identities, credit cards, and software license keys and will auto-populate the first two on web forms (though it's a bit buggy sometimes filling in the right fields).

Use coupon code ExtraSpecial for 25% off. :)

This is very important as most websites use your email to verify your identity for password resets.

My personal strategy is to have a financial password, then another password I use for other sites (non-critical), and finally my email password. It's not at all idea but it's better than using the same password for everything.

The problem with using one of the solutions like 1password is if you are using a variety of random computers (say you are travelling) or you use computers you can't install software onto. Then it just becomes a huge hassle.

1password also has a fully functional iPhone/iPad app and an Android "reader" so you can at least look at your passwords to type them into other computers. A hassle yes, but worth it for the security. Google 2-step verification (http://support.google.com/accounts/b...&answer=180744) is also a hassle, but I use that, too. :)

One other tip is to not give real answers to the "security" questions to recover your password. Your mother's maiden name or the make of your first car aren't exactly secure pieces of information. Make up random stuff, save the answers in your password manager or elsewhere, so you can look them up when needed. Again, not using the same answer for each service would be a good idea, too.

Add HHonors to the list. A rep asked for it when I called to merge accounts in January.

Thanks done, anymore?

Is it possible that they can't actually see your password, but type it in when you give it to them and it verifies it? That would make more sense to me, but who knows.

In any case, all my passwords look something like this: A3cfPk6LxafJ :)

As others have said ... 1password.

Doesn't COdbaUA technically ask for your PIN? Isn't there still a password for the website? I could be wrong.