Folks, sorry for such a long post, but password security is something near and dear to my heart.
Ken's suggested approach works well, in that it uses a semi-random sequence of characters for the password. Many folks are not in that good of shape. In a former life I was a system administrator for a small company, and I would periodically run password-cracking software on our accounts.
Every time I did it I would end up cracking several users' passwords. Imagine their surprise when I sent them an email with the subject, "Your password is <blah>"
This software used what are called "dictionary attacks"... it took a list of commonly used passwords and tried them. While it would take a person at a keyboard a lifetime to crack one, a computer can do it in seconds. The name is a bit of a misnomer too... I always got replies like, "but my password isn't a real word... it can't be in a dictionary!". Sorry folks, you have to assume that any non-random password (or at least, those that appear non-random to a typical user, e.g. someword123) is in a hacker's list somewhere, and if they can hack a website and get a copy of that system's password file they can eventually crack such passwords.
Now, I'd always used "strong" passwords in the past, and got to be quite overconfident in the protection that was providing. I might have different passwords for several key accounts, but as the need to register and create a password for website access has proliferated, I found myself using the same strong password for multiple sites. At last count, I have 217 unique accounts... no way I could remember that many distinct passwords, so why not just pick a good one and replicate it? Sound familiar?
Well, a couple of years ago, one of the sites I had an account on was hacked, and the hackers actually got the clear-text versions of the passwords for the site. In other words, they didn't have to do anything to crack the individual logins... once they were into the system they were able to read the passwords of everyone on that system. It didn't matter how secure MY password was... they could read it from this (inexcusable) site's files. Now, since that site, like many others, used my email address as my login, and that password was one that I used on multiple sites, I was faced with a very bad, very real situation... What would happen if those hackers started to try random systems (maybe email sites like Yahoo or Google, or banking sites, or healthcare sites, ... you get the picture). Since they knew one of my passwords, and they knew my email (login ID), they could try it on any number of systems automatically and might stumble on one that had the same data. Whoops... now I had to go to all of my accounts and change the password for each... bummer, and quite a time-sink.
So what lessons can we pick from this about password security? There are really two problems we have to deal with related to passwords... the first is how do we generate a strong password, and the second is how do we keep track of a unique password for each login we have? LastPass and similar programs try to address both questions. Most have a password-generation capability... some way to generate random, secure passwords. So, you don't have to come up with a good password... you can select what criteria you want the password to follow (e.g. how long, what characters, punctuation/special characters, etc.) and it will generate one for you. It will also store the information about that account (login, password, URL/web link, notes, yada, yada) securely so you don't have to remember it later. Many of these programs also provide some way to easily access the password information when you need it. In the case of LastPass, they have plugins for your web browser that will offer to fill in the login information for a site when it recognizes that you're visiting a site it knows about. Sweet! Now I don't even have to remember my passwords, which would be really hard to do with an ultra-secure, 25 random character password
. (Honest... if someone were to ask me what my password is for this forum, I'd have to look it up. I never see it or type it anymore... I let LastPass do it for me.)
So, I bit the bullet, made the switch, and never looked back. I recommend you do the same. Take a look at the programs that are out there... find reviews and compare their features. Find something that works for you. Some of them store the passwords online in a secure format. Others only store it locally. Figure out what you're comfortable with and give it a shot. There are commercial versions, but many of the best options are free (Keepass, LastPass, and others), so that shouldn't get in your way. Many of these also have some capability to work on mobile devices like your phone or tablet, although that's often reserved for a premium version.
If you've got a system like Ken does for generating unique passwords and remembering them, great! You're in fine shape, and probably don't have to worry. If you're like I was and have a few passwords that you use for everything, whether or not those are strong passwords or trivial ones, then you owe it to yourself to look at the options.
<stepping off my soapbox
>