🚨 PSA: An enormous password leak of about 9.9 billion passwords was just posted on hacker forums. This could give the bad guys a massive advantage. 🚨

What do to:

1) Change your passwords

2) Use unique passwords across each account

3) Setup app-driven 2FA wherever possible

Password Managers are your friend.

Security through obscurity?

"I know this might sound funny, but what's an extra 1.5 billion passwords?” Daniel Card, a self-proclaimed Cyber Ninja Warrior and founder of the PwnDefend security consultancy, said.

He has a point: once such databases reach a tipping point regarding unique password size, it makes precious little difference how many new ones get added.

“When we look at how people create passwords,” Card said, “is that going to change the world? Probably not.

I don't think this changes the threat actors’ capability in any meaningful way.”


New Security Alert: Hacker Uploads 10 Billion Passwords To Crime Forum—Report (https://www.forbes.com/sites/daveywinder/2024/07/05/new-security-alert-hacker-uploads-10-billion-stolen-passwords-to-crime-forum/)

Looks like I'll have to come up with a new system of password creation. Every 3 months, a dozen accounts demand that I change the password. I can't remember that many changes. So I have to enter them into a database that I created. The database is also "locked" with a password, and not loaded into the cloud or available on the internet at all. It's on a microchip and a thumb drive. But it stores around 120 accounts for stores, credit card info, library card, drivers license number, medical insurance group number, etc. And those rewards programs that giver you discounts if you enter your phone number and password when you buy something at a store.

I'll look tomorrow and spend a couple of hours re-creating my system. It's easy enough for me to remember them all as long as I stick with my system.

One of the best password managers is KeePass. Perhaps it is the best out there.
Free. Donate if you want (I did).
Can generate passwords of any length, character types, or complexity.
Filters to configure passwords to not use certain characters like 1 l L i I 0 o O
Use different ID and password for every site. Whatever you want.
Community reviewed and no security flaws.
One master password encrypts the entire database. Pick a long passphrase and it is not crackable (even by the NSA) if stolen.
You have exclusive control over your database. Safe to store on your cloud for multiple devices to access.
No single place for hackers to extract private information.
Able to store and URLs. Never click a link sent to your email, always go to the known trusted site.
Integrates into browsers to launch a URL, then send credentials, without wasting time with copy\paste. Uses an encrypted process to be safe from key loggers.
Hundreds of add-ins to make things work in custom ways.
Notes area to store account info or other important info.
Fields can be used for any text\numbers you want.

One of the best password managers is KeePass. Perhaps it is the best out there.
Free. Donate if you want (I did).
Can generate passwords of any length, character types, or complexity.
Filters to configure passwords to not use certain characters like 1 l L i I 0 o O
Use different ID and password for every site. Whatever you want.
Community reviewed and no security flaws.
One master password encrypts the entire database. Pick a long passphrase and it is not crackable (even by the NSA) if stolen.
You have exclusive control over your database. Safe to store on your cloud for multiple devices to access.
No single place for hackers to extract private information.
Able to store and URLs. Never click a link sent to your email, always go to the known trusted site.
Integrates into browsers to launch a URL, then send credentials, without wasting time with copy\paste. Uses an encrypted process to be safe from key loggers.
Hundreds of add-ins to make things work in custom ways.
Notes area to store account info or other important info.
Fields can be used for any text\numbers you want.

So what happens after 90 days, and one of your accounts requires you to change its password? You have to manually put in your account name and password, or it won't allow you to change it. And then it sends a text to your phone or an e-mail to the linked address, and you have to verify by putting in the 6-digit number it sends you. And THEN you can change the password.

You might have 4-20 different accounts that require you to do that. ADP (payroll) does it, so does my bank. And they're at different intervals so I have to change one of them, and then 20 days later I have to change the other one.

How do you do that with keypass, that lets you never have to remember your password?

So what happens after 90 days, and one of your accounts requires you to change its password? You have to manually put in your account name and password, or it won't allow you to change it. And then it sends a text to your phone or an e-mail to the linked address, and you have to verify by putting in the 6-digit number it sends you. And THEN you can change the password.

You might have 4-20 different accounts that require you to do that. ADP (payroll) does it, so does my bank. And they're at different intervals so I have to change one of them, and then 20 days later I have to change the other one.

How do you do that with keypass, that lets you never have to remember your password?

It's still some manual work, but a lot easier. 2FA is annoying, but I want it to be as simple as possible.

Open website with KeePass - double click on URL
Select user id field with mouse
Right click entry in KeePass and select "perform auto-type" (logs you in)
Verify 2FA code sent to you
(if necessary...) Right click KeePass entry and send current password
Double click entry in KeePass. Click icon to generate new random password. Send to website.
Save database (with new password for your site.

It will never happen and admittedly does sound extreme but……would love to see identity theft added to the list of capital offenses. How much angst, time and fortune is wasted on this crime??

IMHO 2-factor authentication is the answer. For every account. Should be offered for every account. Fortunately it is for financials.

What I'd like to know is how this clown accumulated 9 billion passwords in the first place?

I don't understand why people use password managers in the first place.
It seems that hackers with enough effort will break into anything.
To save worries use pen and paper and keep all your password in a drawer.
Other than the information I am forced to divulge to conduct business I store everything in a backup drive.

🚨

What do to:

1) Change your passwords

2) Use unique passwords across each account

3) Setup app-driven 2FA wherever possible

1) Use passwords that are complex. (Changing to simpler passwords does help much to address the referenced event of posting billions of passwords online because simpler passwords are likely on that list.)

Complex passwords push people to use password managers, which I use. Choose your password manager wisely.

2) and 3) are good advice.

I don't understand why people use password managers in the first place.
It seems that hackers with enough effort will break into anything.
To save worries use pen and paper and keep all your password in a drawer.
Other than the information I am forced to divulge to conduct business I store everything in a backup drive.

Read two times.

ChatGPT (https://chatgpt.com/share/136f9bbb-c914-49e7-bfdf-83a4097aed23)

🚨 PSA: An enormous password leak of about 9.9 billion passwords was just posted on hacker forums. This could give the bad guys a massive advantage. 🚨

What do to:

1) Change your passwords

2) Use unique passwords across each account

3) Setup app-driven 2FA wherever possible
Additionally, FREEZE YOUR CREDIT REPORTS at all three credit reporting agencies so no one can open accounts with your info!

Looks like I'll have to come up with a new system of password creation. Every 3 months, a dozen accounts demand that I change the password. I can't remember that many changes. So I have to enter them into a database that I created. The database is also "locked" with a password, and not loaded into the cloud or available on the internet at all. It's on a microchip and a thumb drive. But it stores around 120 accounts for stores, credit card info, library card, drivers license number, medical insurance group number, etc. And those rewards programs that giver you discounts if you enter your phone number and password when you buy something at a store.

I'll look tomorrow and spend a couple of hours re-creating my system. It's easy enough for me to remember them all as long as I stick with my system.


Look into a password manager app for your phone. I use Keeper for my personal stuff and our business uses Last Pass. Both are pretty secure. They also sync across devices. So I have Keeper on my phone and iPad as well as my wife’s devices. Last Pass is on my phone and laptop.
I have the master password set to biometric so you need my face to gain access to the app. All passwords generated are 12 or 16 characters long.

One of the best password managers is KeePass. Perhaps it is the best out there.
Free. Donate if you want (I did).
Can generate passwords of any length, character types, or complexity.
Filters to configure passwords to not use certain characters like 1 l L i I 0 o O
Use different ID and password for every site. Whatever you want.
Community reviewed and no security flaws.
One master password encrypts the entire database. Pick a long passphrase and it is not crackable (even by the NSA) if stolen.
You have exclusive control over your database. Safe to store on your cloud for multiple devices to access.
No single place for hackers to extract private information.
Able to store and URLs. Never click a link sent to your email, always go to the known trusted site.
Integrates into browsers to launch a URL, then send credentials, without wasting time with copy\paste. Uses an encrypted process to be safe from key loggers.
Hundreds of add-ins to make things work in custom ways.
Notes area to store account info or other important info.
Fields can be used for any text\numbers you want.

You should give a course on how to set up and use this. I have tried several password management systems and they are too complicated. :what:

I don't understand why people use password managers in the first place.
It seems that hackers with enough effort will break into anything.
To save worries use pen and paper and keep all your password in a drawer.
Other than the information I am forced to divulge to conduct business I store everything in a backup drive.

Hope you never have a fire or bad weather that causes that list to vanish.
In the midst of a tragedy, when you need access to important sites, you will be locked out.

Hope that list is never stolen. Likely years of financial and legal problems if that happens.

Please rethink that approach.

The biggest security risk is not creating your passwords the correct way and not using 2FA.
It is proven that if your password is greater than 16 characters and some of those characters are special characters, it will take years to hack. Upper and lower case don’t matter much, it’s the length and special characters.

How long does it take a hacker to crack one of your passwords in 2024? | Euronews (https://www.euronews.com/next/2024/05/11/how-long-does-it-take-a-hacker-to-crack-a-password-in-2024#:~:text=For%20a%20simple%20eight%2Dcharacter, 119%20years%20to%20determine%20it).

Also, I use LifeLock and it alerts me every access to my accounts, say dividends or buy and sell activity, every bank transaction, every hit your identity is hit in the dark web, section on freezing a 1/2 dozen sites (more than the 3 credit bureaus), on and on.

I don’t use a password pgm mainly because I can store all mine in a safe location that is pwd protected and I will never use a pwd manager that stores your pwds in the cloud on their proprietary cloud, unless it’s Apples. I’ve used AWS and Google cloud in my prior working life and no thanks.

A lot of good suggestions here. One other I heard years ago from a security discussion - make sure you have a solid password and 2FA enabled for your email. Your email is quite often the path to password resets and authentication codes which bad actors could use to obtain access.

there have been too many hacks of BIG companies

FREEZE YOUR CREDIT they already have you

LOL! password managers and strong passwords are not the savior you think they are.

If your passwords are stolen through malware when you are typing them, which doesn't involve brute force or quality of passwords, also called phishing, then one is still toast. If you have a sim swapping event in combo, you are toast with 2FA.

If you think everything is fine, and someone uses your Microsoft Windows 365 password, they have access to all your password backup files. Nothing will save you if your passwords are stolen and someone wants to get into your accounts. If they find you have 2FA, then most likely they will move on to the next account. If they find out you have a lot of money, such as banking apps on your phone or stolen USPS mail, they will find a way to sim swap your phone by corrupting a phone company employee, kgb style.

What does help is:
1) always use InPrivate or Incognito modes in browsers when accessing sensitive accounts.
2) Use a hard key instead of a software password:
Options include: hardware key fob mfa device - Google Search (https://www.google.com/search?q=hardware+key+fob+mfa+device)
Impossible to beat a hard key with software, but have a backup hidden somewhere just in case. .
3) Never re-use passwords for sensitive sites.
4) Never have sensitive apps with saved passwords on your phone, especially banking apps where apple store employees can see your account balances, numbers and location.
5) Use the strongest malware protection on your computing devices which you can buy

good luck. . .

former IT / finance guy

IMHO 2-factor authentication is the answer. For every account. Should be offered for every account. Fortunately it is for financials.

At a minimum, you also want 2FA on your email account. This is because email is the mechanism for changing passwords (where a link to reset password is sent). If your email doesn't support 2FA, you need a new email account.

One of the best password managers is KeePass. Perhaps it is the best out there.
Free. Donate if you want (I did).
Can generate passwords of any length, character types, or complexity.
Filters to configure passwords to not use certain characters like 1 l L i I 0 o O
Use different ID and password for every site. Whatever you want.
Community reviewed and no security flaws.
One master password encrypts the entire database. Pick a long passphrase and it is not crackable (even by the NSA) if stolen.
You have exclusive control over your database. Safe to store on your cloud for multiple devices to access.
No single place for hackers to extract private information.
Able to store and URLs. Never click a link sent to your email, always go to the known trusted site.
Integrates into browsers to launch a URL, then send credentials, without wasting time with copy\paste. Uses an encrypted process to be safe from key loggers.
Hundreds of add-ins to make things work in custom ways.
Notes area to store account info or other important info.
Fields can be used for any text\numbers you want.
A couple of questions, as it sounds like you are knowledgeable. 1. What do you think of RoboForm?
2. Can you give an example of a long passphrase?
3. What is meant by No single place for hackers to extract private information.
Thanks for any info.

I found this interesting about the information that can be stored in a printer.

https://www.msn.com/en-us/money/other/getting-rid-of-a-printer-do-this-first-or-risk-getting-hacked/ar-AA1i4OR3?ocid=msedgntp&pc=HCTS&cvid=594fc0467feb466e9fdab51127658fe4&ei=28

Password Managers are your friend.

Security through obscurity?

"I know this might sound funny, but what's an extra 1.5 billion passwords?” Daniel Card, a self-proclaimed Cyber Ninja Warrior and founder of the PwnDefend security consultancy, said.

He has a point: once such databases reach a tipping point regarding unique password size, it makes precious little difference how many new ones get added.

“When we look at how people create passwords,” Card said, “is that going to change the world? Probably not.

I don't think this changes the threat actors’ capability in any meaningful way.”


New Security Alert: Hacker Uploads 10 Billion Passwords To Crime Forum—Report (https://www.forbes.com/sites/daveywinder/2024/07/05/new-security-alert-hacker-uploads-10-billion-stolen-passwords-to-crime-forum/)

I don't trust password managers storing such important info "in the cloud." As we've seen, every type of business has been hacked. They are certainly not 100% hack proof.

Hope you never have a fire or bad weather that causes that list to vanish.
In the midst of a tragedy, when you need access to important sites, you will be locked out.

Hope that list is never stolen. Likely years of financial and legal problems if that happens.

Please rethink that approach.

Stolen by who alien from another planet or ghost hiding under my bed from the dark side. Do you really think someone would break into my house ignore everything they could carry out to look for a book with my passwords that they don't even know it exists.

Give me a break, if you haven't noticed hackers are breaking into almost any site they want. Today many are having their identity stolen, credit card fraud is on the rise, even hospitals have been shut down for ransom.

Hope you never have a fire or bad weather that causes that list to vanish.
In the midst of a tragedy, when you need access to important sites, you will be locked out.

Hope that list is never stolen. Likely years of financial and legal problems if that happens.

Please rethink that approach.

I do have many passwords, but the important ones which aren't that many I store in my head and if a thief breaks into my house and kills me and finds the book, it not going to matter anyway.

One of the best password managers is KeePass. Perhaps it is the best out there.
Free. Donate if you want (I did).
.

I use 1Password. Not free, but is one of the best out there. I try to stay away from free software

That being said, CoachK's post is the best advice.

12345 has worked for decades.

Let's stop and think about it, I had suggested whatever passwords you have do not go to a third party or to the program that pops up asking if you want to save your password. I suggested keeping a log at home offline and a poster raised a number of scenarios, as fire, theft and hurricane which would demolish the house. I have two or three important contacts,
Bank, Broker, Email account. I personally know my broker so he will deal with any access I need; I know what bank I deal with and with proper ID they will deal with any problem that arises and my email I've had for so long the password is tattoo in my brain and if anyone dose access my email, they'll have to deal with all the spam. The other sites are trivial and if you forget the password as far, as I know these sites will send you an email instructing you how to get a new password. I believe the less information you share with others the safer you are.

12345 has worked for decades.

Not complex enough. I use 1234567.

Not complex enough. I use 1234567.

Is that safer than my mother's maiden name.
That's a lot of numbers, don't think I could remember that many.

Last Pass had a major data breach. I quit Last Pass because it blocked my completing info on some websites such as Groome Transportation and several other sites.

Let's stop and think about it, I had suggested whatever passwords you have do not go to a third party or to the program that pops up asking if you want to save your password. I suggested keeping a log at home offline and a poster raised a number of scenarios, as fire, theft and hurricane which would demolish the house. I have two or three important contacts,
Bank, Broker, Email account. I personally know my broker so he will deal with any access I need; I know what bank I deal with and with proper ID they will deal with any problem that arises and my email I've had for so long the password is tattoo in my brain and if anyone dose access my email, they'll have to deal with all the spam. The other sites are trivial and if you forget the password as far, as I know these sites will send you an email instructing you how to get a new password. I believe the less information you share with others the safer you are.

What happens for your heirs if you die from a heart attack tonight?

I use "Incorrect"...

If I forget it, the website tells me "Your password is incorrect"...

A couple of questions, as it sounds like you are knowledgeable. 1. What do you think of RoboForm?
2. Can you give an example of a long passphrase?
3. What is meant by No single place for hackers to extract private information.
Thanks for any info.

Not a fan of RoboForm. It has some innovative features, but appears to have several flaws.
Your data file is in their possession so if they suffer an outage or cyber attack, you are in a world of hurt. KeePass data is in your possession, and you can store it wherever you want.
Limited to one password database. KeePass allows multiple databases. Certain places where family or friends would also want to access can be put in its own file and shared without sharing your private data.
Free version is for one device only. KeePass is not limited. Use it on all your devices.
It reaches out to the web to do "security" things. That exposes itself to detection. Doing things beyond its main purpose is generally frowned upon.
Software has not been peer reviewed for coding errors, hackability, or secret back doors. KeePass is open source. Many experts have not been able to find any security flaws.

A long passphrase is something that can be remembered but also contains pieces that are not actual words. The very long length makes it secure. Like:
Today@1200!sWhen\ottery#Nums@rePicked
TThhiissIIssAALLoonnggPPaasssspphhrrssee:)

No single place means that every part of the process adds a unique layer of security. There is no one way to hack the process without having several completely different compromises at the same time. Here are a few
Database is stored where you only have access
Database is not hackable. A key logger could get your master password, but would not be able to get your database.
Passwords are sent via a secure process to web browsers.
Every password can be different. If one site gets hacked, exposure is limited.

Also, a word of caution for anyone using Excel or Word to save your passwords. Those apps can have "password protected" documents. You can pick a 1000 character password if you want, and might think that is secure. It is not.
The actual data is easily recovered without knowing the password.
There are many examples of DIY on the web. Those methods do not try to guess the password, they just remove it.

What happens for your heirs if you die from a heart attack tonight?

I have two annuities that covers my nephews where they are the beneficiaries when I check out and I have supplied them with all the documentation. My daughter and my grandson will get the rest, again she is totally aware of what there is, and a legal trust has been set up. I did my homework and I have set this up that if I die before this posting is finished, they will be fully protected. Again, I believe the less personal information you release to anyone without knowing who might get access to it legally or illegally is a mistake.

This was not a "data breach" per se. It is a huge text file containing over 9 billion passwords. It does not tie passwords to login ID's or anything else. With this file it is possible for a hacker to use one file containing known ID's and then cycle through passwords in a brute force attack. Most sites (upwards of 99%), especially financial, have security measures in place to handle denial of attack.

Even if you change all of your passwords today, the chances that you will pick a new password that is not on this massive list are very slim. It's kind of like a dictionary, and your job is to guess what word out of that dictionary was last used by someone.

Your best protection is to ensure that you have two factor authentication set up on all of your accounts that connect in any way with your money.

I have two annuities that covers my nephews where they are the beneficiaries when I check out and I have supplied them with all the documentation. My daughter and my grandson will get the rest, again she is totally aware of what there is, and a legal trust has been set up. I did my homework and I have set this up that if I die before this posting is finished, they will be fully protected. Again, I believe the less personal information you release to anyone without knowing who might get access to it legally or illegally is a mistake.

That's the easy stuff.

Do they have access to the online accounts - utilities, insurance, credit card, photos, etc?

Especially Passwords to access your phone, computer, etc?

That's the easy stuff.

Do they have access to the online accounts - utilities, insurance, credit card, photos, etc?

Especially Passwords to access your phone, computer, etc?

You're just hunting for something to justify the pouring of your information to the world.
I've dealt with the passing of my uncle, my wife son and then my wife without some of this information and have cleared it all.
When my wife son passed, I got into his computer through a back door, his phone I didn't even bother with, I had all his mail sent to me and I handle whatever bills came in. Within months I cleared the slate and sold his house in N.J.
My daughter has more information than she needs and more than I had dealing with my wife son.
If you want to trust your information somewhere on the internet that's your choice, I'm a native New Yorker and we were trained from birth not to trust anyone but yourself and sometimes I don't even trust myself.

Not a fan of RoboForm. It has some innovative features, but appears to have several flaws.
Your data file is in their possession so if they suffer an outage or cyber attack, you are in a world of hurt. KeePass data is in your possession, and you can store it wherever you want.
Limited to one password database. KeePass allows multiple databases. Certain places where family or friends would also want to access can be put in its own file and shared without sharing your private data.
Free version is for one device only. KeePass is not limited. Use it on all your devices.
It reaches out to the web to do "security" things. That exposes itself to detection. Doing things beyond its main purpose is generally frowned upon.
Software has not been peer reviewed for coding errors, hackability, or secret back doors. KeePass is open source. Many experts have not been able to find any security flaws.

A long passphrase is something that can be remembered but also contains pieces that are not actual words. The very long length makes it secure. Like:
Today@1200!sWhen\ottery#Nums@rePicked
TThhiissIIssAALLoonnggPPaasssspphhrrssee:)

No single place means that every part of the process adds a unique layer of security. There is no one way to hack the process without having several completely different compromises at the same time. Here are a few
Database is stored where you only have access
Database is not hackable. A key logger could get your master password, but would not be able to get your database.
Passwords are sent via a secure process to web browsers.
Every password can be different. If one site gets hacked, exposure is limited.
Thanks for the response/explanation, Maker.

You're just hunting for something to justify the pouring of your information to the world.
I've dealt with the passing of my uncle, my wife son and then my wife without some of this information and have cleared it all.
When my wife son passed, I got into his computer through a back door, his phone I didn't even bother with, I had all his mail sent to me and I handle whatever bills came in. Within months I cleared the slate and sold his house in N.J.
My daughter has more information than she needs and more than I had dealing with my wife son.
If you want to trust your information somewhere on the internet that's your choice, I'm a native New Yorker and we were trained from birth not to trust anyone but yourself and sometimes I don't even trust myself.

Sorry, I was trying to understand since you are smarter than the millions of hackers and security experts in the world...

I use a cloud based password manager because I need to access my accounts from multiple devices. My master password is over 16 characters long. I have over 700 password protected accounts (I thought I had about 300, but just counted them). Granted many sites have no personal/financial info attached to the accounts. I've been changing my site passwords to 12+ characters, but it takes a while. I try to do several dozen every week or so. My password manager automates it somewhat, but site's security often makes using automated setup hard or impossible to use.

My Microsoft account is hit dozens of times a day from all over the world with attempted logins. Here are just 6 in 60 seconds.

7/9/2024 4:25 AM Unsuccessful sign-in Argentina
7/9/2024 4:25 AM Unsuccessful sign-in Brazil
7/9/2024 4:25 AM Unsuccessful sign-in Austria
7/9/2024 4:25 AM Unsuccessful sign-in Bangladesh
7/9/2024 4:25 AM Unsuccessful sign-in Iraq
7/9/2024 4:25 AM Unsuccessful sign-in Morocco

I use a cloud based password manager because I need to access my accounts from multiple devices. My master password is over 16 characters long. I have over 700 password protected accounts (I thought I had about 300, but just counted them). Granted many sites have no personal/financial info attached to the accounts. I've been changing my site passwords to 12+ characters, but it takes a while. I try to do several dozen every week or so. My password manager automates it somewhat, but site's security often makes using automated setup hard or impossible to use.

My Microsoft account is hit dozens of times a day from all over the world with attempted logins. Here are just 6 in 60 seconds.

7/9/2024 4:25 AM Unsuccessful sign-in Argentina
7/9/2024 4:25 AM Unsuccessful sign-in Brazil
7/9/2024 4:25 AM Unsuccessful sign-in Austria
7/9/2024 4:25 AM Unsuccessful sign-in Bangladesh
7/9/2024 4:25 AM Unsuccessful sign-in Iraq
7/9/2024 4:25 AM Unsuccessful sign-in Morocco

A 16 character password is far too short. Especially for the one that unlocks your entire online life. Add a passphrase. Example: Phrase you remember "I like to get up at 6 in the morning to go for a walk with my dog" ... becomes typed as... "Iltgua6itmtgfawwmd"
A 12 character password is hackable in minutes.
A password manager should be able to generate random 32 character (or longer) passwords for the entries. Who cares if they are impossible to type manually, the password manager should auto-type them for you.

There is a big difference between "cloud based" password managers and storing your data file in the cloud. The first maintains custody of your data file. That alone is insecure because you rely on them to do all your security, and hope they never mysteriously disappear or get compromised. When you have complete control where you store your data file, you can put it anywhere you want. Even in several places. The security built in to the data file encryption is 100% sufficient, and you can access it anywhere you can get to your cloud.

A 16 character password is far too short. Especially for the one that unlocks your entire online life. Add a passphrase. Example: Phrase you remember "I like to get up at 6 in the morning to go for a walk with my dog" ... becomes typed as... "Iltgua6itmtgfawwmd"
A 12 character password is hackable in minutes.
A password manager should be able to generate random 32 character (or longer) passwords for the entries. Who cares if they are impossible to type manually, the password manager should auto-type them for you.

There is a big difference between "cloud based" password managers and storing your data file in the cloud. The first maintains custody of your data file. That alone is insecure because you rely on them to do all your security, and hope they never mysteriously disappear or get compromised. When you have complete control where you store your data file, you can put it anywhere you want. Even in several places. The security built in to the data file encryption is 100% sufficient, and you can access it anywhere you can get to your cloud.
Saying 12 or 16 is too short is only part of the discussion IMO

My stupid medicare requires this 2-factor crap -- all it does it make it a royal pain and managed to let Devoted STEAL $ 550 from us.
Good for big outfits, bad for consumers.