So, password security is in the news again with the Gawker break in. As usual there is a lot of average advice about passwords.
Here's some tips...
Choosing a good password is all about entropy. One common piece of advice I have seen is to use a long phrase or quotation rather than a single word. This might seem like good advice because it dramatically increases password length; but in truth it is useless because it barely increases entropy.
Testing an average dictionary of, say, a few million words can take barely any time (we are talking minutes). Simply combining words in a normal sentence only realistically multiplies that time by the number of words you use.
Sure, a hacker might not use that test scheme. But if it only takes a couple of hours to test phrases up to, say, 10 words in length isn't it worth a shot?
Event switching letters for numbers in some of the words will drastically increase the entropy of your phrase.
Computers nowadays are fast; stupidly fast. And most sites store your password poorly.
The really good advice is this:
Brute force cracks are what you need to prevent; and you do this by increasing entropy way beyond what they can hope to achieve in any reasonable length of time. So your password should not consist of a "guessable" makeup/algorithm. It should include a diverse set of characters (even adding a few symbols can add a significant entropy).The best bit is that creating a memorable, high entropy password is not all that hard with a little work. Grab a phrase or few words you like and swap letters for numbers, then add some symbols (swap spaces for + or = for example).
Heres one: "0ne+80 equals= 3ighty 1"
Not horrid to remember. Bloody hard to brute force. And you could easily make up something memorable along these lines.
The Bottom Line
But, here's the truth. You and I both reuse poor, insecure passwords. At the end of the day you at A target not THE target. We rely on security through obscurity.
There is nothing wrong with this approach.
At the end of the day, and in the current climate, the chance of you being victim of a hacked password is relatively minimal - and the chances of someone using that password to do nasty things to you is even less.
Again, it's a reasonable risk to take. Hell I take it.
The best password advice you will receive is this: be alert, be vigilant and make sure you respond when unsure.
If something feels "wrong" then change some passwords. Pick a new password every year or so and make use of that (swap about between your "history" of passwords you feel are secure). Currently I have about 25 passwords and password variants that I make use of; but this is overkill even for the above average internet user.
Recently I ended up the target of a fairly proficient Wikipedia troll who spent the best part of 3 months trying to hack me (they might even still be trying..). They never got anywhere near subverting me, but I felt uncomfortable enough to switch to a new set of passwords; once you feel there is a risk, drop them and move on.
One final piece of advice; when you sign up for a new web service to test it never use one of your passwords - just use a simple word (something really obvious...) . If you come to use the service you can swap to a better password. But if you forget it, you are not leaving one of your good passwords out "in the wild" and at risk :)