I frequently hear about users who have had their account hacked. Just the other day another well known Steemian lost 100 Steem due to their account being compromised. These attacks are usually the result of one of two things:
- Sending private key/password in wallet memo
- Clicking a link and entering your username and password
While a password manager will not prevent the first situation it will eliminate the second.
How does a password manager prevent phishing attacks?
Before I get into that, I want to go over some basic checks you should do whenever conducting business on the Internet or entering your password.
Always check for the secure SSL certificate
While this varies browser to browser, they all display a lock symbol when you are on a secure site using SSL with a valid certificate.
Below you will find all the popular browsers and what a secure site with a valid certificate looks like.
Chrome
Firefox
Microsoft Edge
Internet Explorer
If you do not see a secure lock symbol, you are likely not where you want to be. Tread very carefully and only enter passwords or private information if you are absolutely sure you know what you are doing.
Always look at the URL
Whenever asked to enter your password you should always check the URL and make sure you are where you should be. Look carefully as many phishing attempts use URLs that are very similar to the original name. For Steemit, you should see this:
If you are entering your password manually, you should do these steps every time. They only take a moment but will dramatically reduce the chance of your account being stolen.
You said something about a Password Manager?
Yes, and this is what I highly recommend for every user. While the password manager I use costs money, but I highly recommend it. Any popular password manager should work well though, far better than no password manager.
The way a password manager will protect you is a side effect of how they work. Most password managers have a button that gets added to your browser's toolbar like this: 
.
When you want to fill in a form to login, you click that button and it loads all the passwords it knows for that particular URL.
If you click on a link taking you to a site that looks like Steemit, but isn't Steemit.com, you will see no passwords listed. This will tell you right away you are not where you think you are. Phishing attempts have gotten very clever and frequently changing to use different ways of fooling users. In the end, though, they all have one goal. Fool a user thinking they are on Steemit.com, and make them enter their username and private key.
Once someone does this, scripts are activated to automatically drain the account and usually post comments on your behalf attempting to lure other users into doing the same thing.
This one simple feature of a password manager should protect you from nearly 100% of phishing attempts. If you do not use a password manager, you should be very diligent in checking the URL and SSL lock icon to verify you are where you want to be. In the past, there have been attacks that have been able to forge this by using special characters that make it look like you are at the site you think you are. This is where a password manager is foolproof and will save your ass every time.
KeePass is a very popular option for people that want a free password manager but it does not have a browser extension that offers the functionality described above. There is a third party extension but I can't vouch for how well it works.
Password Managers have many other benefits
Preventing phishing is something that good password managers do really well. There are many other features that dramatically increase your security online.
One of the biggest features is the ability to use unique 64 character passwords like this !T*qF}L@E6Jxhdbh=]-7pZ=mozipfwK8#fQD#7TchBx}WfX,:-ntvgwZy}odN*7d on every site you use. All you need to remember is your one master password. This makes your password impossible to brute force but also protects you if one of your other logins gets compromised, they cannot find all your other logins on other sites as they are all unique.
Password managers also will synchronize across mobile devices and desktops securely. The good ones are encrypted locally and no unencrypted data is ever sent over the Internet.
Crypto is YOLO
I have a saying that crypto is yolo. When sending transactions in crypto, you are responsible for protecting your wallet and ensuring you sent to the correct address and the correct amount. There is no one to call if you mess up, and you are responsible for any losses. Property security is critical and is your responsibility.