>> Do any staff of a service covered by a password know what it is? I
>> assumed that a password created by me and not revealed to anyone else could be
>> known only to me but have never checked.
Passwords should not be recoverable or visible to any staff of a service, and should be "hashed"* in case a hacker gets in. All staff can do is provide a link or assistance to create a new password once your identity has been verified.
*Hashed. When a password has been “hashed” it means it has been turned into a scrambled representation of itself. A user's password is taken and – using a key known to the site – the hash value is derived from the combination of both the password and the key, using a set algorithm.
- Some websites, though less these days, are run incompetently and may hold passwords in the clear.
- Sometimes websites offering some attractive but easy to do service are set up solely to gather username/password combinations.
In the end the advice is fairly simple;'
Use long complex passwords (Longer is better than complex, both is best)
- 12 - 15 characters
- use upper/lower case, numbers and special characters
- Don't bunch up the special characters (all at beginning or end) or rely on substitution (3/e o/0 etc.)
Never use the same password on two sites/accounts
- because maybe one site you use it on is a weak, insecure, site and the other is your bank.
I use unique 20-something character, randomly generated passwords for every account that matters. And I have a 12 character junk password that I duplicate across every account I don't care about.
I find that the best/easiest way to do that is to use a password manager. I use Lastpass and Bitwarden, but there are others.