A joke to release some of that stress:

Better hacked than chopped.

doesnt work as hacking and chopping are the same thing as far as dismemberment goes.

"better hacked than ground up and turned into burgers" would be better.

edit: or "better hacked than sliced" even

If you suspect you were hacked, probably change passwords. If each site has a different password then only the one affected, and if your email was compromised maybe everything attached to it.

A 'forgot password' shouldn't do anything, unless they could not only click that but intercept the email to reset it and go to that link (Not impossible but probably VERY difficult).

Doublecheck emails are authentic, checking the 'from' field as well as accessing the email in it's raw text form you can see if it is a phishing email and just 'BEGGING' you to click on it, like paypal 'dear customer your accound is suspended' or 'your card is frozen from <Insert Bank Name> contact us immediately' or something similar. Most sites will use your name (John, or Mary, etc) or username, if it is missing it's probably a blank attempt to catch someone. If your email address has your name in it, like John.Doe@email.com, then scripts will strip that and send it to you to say 'Dear John Doe'. If you don't it and do it as test123@email.com it could be 'dear test123' which should be an immediate flag as that isn't a real name and just your email.

I think one of the main things is that you keep your email password long/hard to guess and secure, and that it is not used anywhere else but that particular email log in.

So definitely don't use the same password in gog.com, Steam, nudegrannies.com etc., that you use for logging into your online email account (gmail or whatever it was). The worst thing that could happen is that they get access to your email account, as then they can reset all the passwords on services that are using that email address (including gog.com). After all, then they can easily check your inbox to see all the various services that email is used.

I presume one of the main methods the evildoers work nowadays is that they get hold of the user database in some less secure site (like the aforementioned nudegrannies.com), and then try brute-force to guess the passwords for the various users (email) in that database locally (not trying to repeatedly log into the online service itself as they often limit the failed login attempts, but brute-forcing the user database locally: or decrypt the whole database locally, not sure how they do it... there have been cases where some idiot services haven't even encrypted their user databases so all the usernames and passwords have been in clear text for anyone who gets hold of the user database).

Then they blindly try to use the username+password in various online services and sites, including gmail.com and outlook.com etc., in case the same username+password combination has been used in them.

However in this case they apparently haven't found out your password at least to gog.com, hence the reset password attempt (which is futile if they don't have access to your email).

Naturally, using two-factor authentication wherever you can diminishes the risk of your accounts being hijacked even further, as then it doesn't even matter anymore that much even if they guess your password. So enabling 2FA on your main email account is also highly recommended, but failing that, a long and hard password for your email account that you use nowhere else, and maybe also change from time to time.

(I know the common recommendation is never to use the same password for different online services, but considering people might have dozens or more throwaway online accounts which they've used only once, I guess the reality is something else. People probably don't care even if their online account in some trash site that they've visited only once gets hijacked, as long as money is not used on that site and the same username+password doesn't work on any important sites.)

EDIT: Also if you ever bump into some online service which doesn't use https but http, don't log into such services (or do anything where you type in any sensitive data into them, like your CC number or anything) as all the data you type in goes over the internet not encrypted, including your username and password. Modern browsers increasingly warn of sites not using https.

However not going overboard there, if it is just some generic web site where you just read some text, then it probably doesn't matter that much to you even if it is just plain http...

Lazy people will tend to use the same password on everything. Lately it's found complicated passwords are not how humans think, thus they use something like 'god' or 'Trixy_123' where Trixy was their pet dog, or part of the address or some other personal data that isn't too hard to get a hold of. Worse it's a dictionary attack.

When the database does hash the password they often add salt/random data to make it more difficult to crack and so you can't just brute force as easily.

Passwords SHOULD INSTEAD be pass phrases. You'd take a personal phrase you won't forget and can use, either a personal poetry or something like 12-20 words. "I positively swear i am up to no good" would certainly work, unless they know you're a harry potter fan. But a number of sites actively prohibit long passwords. AOL for example limits you to 16 characters, making such a pass phrase impossible. Then they have the 'At least one upper/lower character, one symbol and one number'. People tend to instead just go 'duck it' and go password_#1 or something.

Password generators/handlers may be the solution. You'd make a complex master password, then you'd enter an input which would be the site/location/item and it would generate a secure password with tons of options for how to comply. A while back there was a firefox plugin to do the job with Firefox 7 i think (seems so long ago). Android and mac there's SSE and several others.

Yeah I agree in general. Then again, I have forgotten one such long passphrase I used very long time on a big RAR file, as I didn't remember anymore in which order exactly or what exact words I had used, trying different synonyms... Maybe it helps if it is some phrase that stays the same.

I guess it helps if the phrase is in some less common language, like Finnish. :) Then again if you are from Finland yourself, maybe you should use swahili or Hungarian instead...

Also, adding a couple of extra characters somewhere in the phrase does seem to increase its effectiveness a lot, instead of using just alphabets and numbers, even in a long phrase (just read that in some of those password generator sites that explained carefully how much extra length, mixing upper/lowercase characters, adding extra characters etc. increases the complexity and time needed to brute-force break the password).

However, for us with non-US keyboards, that sometimes can be a bit of a problem if we have to use a different keyboard sometime, and/or try to write the password over some broken RDP connection where one of the computers is set to "wrong" keyboard config. Then trying to write those & £ or " in the password can be quite a bit more complicated blind, not knowing where exactly they are in e.g. the US keyboard if you are normally using the FIN keyboard... There are only a handful of special characters that seem to stay in the same place regardless of the keyboard, e.g. !

And if the site changes URL, it would subsequently generate an incorrect password (if you're using it to login rather than having the browser remember passwords - which can itself pose another risk). Password managers like KeePass or 1Password don't have that problem, but can be compromised by malware.

So the most secure option is to store passwords on a separate device, ideally without Internet access so it can't be easily compromised (but which also allows you to backup data - in encrypted form - onto your PC). I use an electronic organiser myself, but if I were looking for a new way, I'd seriously consider the Mooltipass USB key - secured by a PIN and smartcard, OS independent and with 3 ways to enter a password (manually, by emulating a keyboard or via a plugin).

That could be a problem, though entering the field data is done manually so if gog.com became GreatGoldenAgeGames or something i'd still use gog.com until i change the password, or i would be changing. And also if you need to change the password because 'site requires you change it every 3 months' like some buisnesses (say BNSF, Kreger, Fred meyers, etc) adding a digit to the end would give you a completely different password. Though it would be a pain to use as you probably can't copy/paste it.

Hmmm... if you could never lose it or have it get damaged, you could have it generate real random numbers to create a near unbreakable key to which to generate passwords from and that would be great. Otherwise i'd prefer something i could regenerate the passwords from. In linux there's pwgen which can do a similar job, but you give a password file (which can be a text file, mp3 file, video, etc....). Though i'm not sure on it myself. Tempted to make my own, i have all the makings in my one cipher to do it.

And changing the local/keyboard won't work too well in those cases.

On IBM systems i'm aware in DOS/Windows you can ALT+code to get around that if you know the exact character number, though if it's ascii or unicode i'm not sure anymore (seems like ASCII), but getting the exact code on 1-2 characters you use in your passwords would probably be workable. But if those change too then it's a matter of not using special characters at all.

38 &
163 £ (Or this one should be, locale settings can muck it up it seems)
34 "