Once again, a major online company has been hacked and had user passwords stolen. Today LinkedIn is reporting that their servers were compromised and nearly 6.5 million passwords downloaded. These attacks are becoming more and more common as time goes on, with sites like Zappos, Dreamhost, and Steam all reporting password theft in 2012. Unfortunately in this day and age just having a solid and well-considered password isn’t enough to keep your information secure. Even if you have a password that is impossible to brute force or hack in some other way it only takes a data breach at one location where that password is stored to expose your password to anyone with the necessary knowledge to acquire it.
This leads back to many of the same old tropes. Always use a combination of letters, numbers, symbols, and differing capitalization in your password. Don’t use a simple phrase, especially something like password, 12345, or qwerty. Make sure to use more characters than you’d probably like, twelve or more is preferable. Everyone has heard the normal rules about passwords and many people have taken this to heart and made an effort to complicate their passwords somewhat. This still leaves the problem of what happens if your password is ever compromised from a different source. There is really only one solid solution to this, it’s a fairly common rule, but one that most people don’t pay as much attention to. Simply, your password for one site should be unique to that site. You should never use the same password to access more than one site. Unfortunately, this gets rather complex and can be somewhat confusing in the long run. The simplest solution for many is to use some form of password service, things like LastPass and 1Password are fairly effective. Various keychain tools that run locally on a machine are also quite useful. Unfortunately, these all share the same issue, one attack vector to access all of your passwords. No different in the long run than using the same password for everything.
The best solution, at least in my opinion, is to use a password that fits into all the typical length and complexity rules and then modify it in some way so that it varies in a memorable way for each site that you have a password for. You can base this modification on the name of the site, the name of your account (as long as you don’t put the actual account name in the password), the purpose of the site, or just about anything else. The goal is to have one section of the password that is easy for you to remember but hard to guess and another part that is based on something related to what the password is for so that it will jog your memory when you attempt to log into whatever service that password is for.
As an example, one can take an account for a forum website. Suppose the website is anyforum.com (no idea if this is a real thing), forums assign accounts a number as they’re created, so let’s say that my account number is 15688. So something along the lines of 15mYp@S$w0rdAF688, with the account number split up around your password and AF to represent any form. You can use the site howsecureismypassword.net to check the strength of any given password. For reference, the password listed above would take 14 quadrillion years to brute force.