Just got done investigating a spambot we had earlier, and it looks like they used a lot of compromised accounts on other instances to give their post an initial upvote boost. If you don’t already, please remember to use a good strong password. Keeping your account secure helps reduce spam across the whole of lemmy, and keeps your account from getting banned for things you didn’t actually do.
I recommend Diceware! I use it in my professional capacity as an IT/Security person, and also you get to use your mathrocks!
EDIT: Oh, also, all that numbers and symbols shit is no longer considered good practice. Just make it a really long collection of random words, at least 12, ideally 16+ characters. And make sure the words are actually random; your 3 favorite sports teams isn’t good enough, which is why I recommend diceware.
Password managers are OK but I have hesitations on them personally. I’m leery of putting all my most high-value stuff in one place behind one password. What I do instead is memorize a truly unreasonable amount of passwords, though, which I recognize is not a reasonable expectation for others. For threat models in which you’re not worried about in-person attacks, it may actually be a good idea to just write your passwords down, maybe keep your password book in something with a lock on it. I’m not advocating for any particular method, just putting it out there so people can make an informed decision.
Password managers (at least the non-browser based ones) use methods provided by the OS to protect themselves from screen recording, direct memory reading and keyboard-sniffing. Most password managers can also be set up to require a keyfile and/or physical passkey to unlock their databases.
A keyfile stores data necessary for decryption separate from the password database and means someone couldn’t get into your passwords even if your database was stolen and they knew the master password (assuming you stored your keyfile separate from the database - the file and its location should be treated like a password itself). A keyfile also lets you keep your database on cloud storage while manually transferring the key to trusted devices, allowing cloud syncing of your passwords without fear of leaks - without the keyfile it’s all just random data.
A physical passkey makes it virtually impossible to breach the database unless someone steals the USB device, since it uses a challenge-response model and the data needed to spoof it should never leave the device.