My mom's web site was just hacked, replaced with a virus-spewing redirect. How? They guessed her password (which was "ladybug") then changed it on her. She should have picked a long random password, like "xkh9czixb3".
How do you remember dozens of passwords like "xkh9czixb3"? You can't. Write them down. For each, write down what it's for, what the username is, and what the password is. Preferably on two separate pieces of paper, in case one gets lost. Be sure you can read your handwriting. You don't get any security against people who can read the paper that way, but at least you have security against everyone who can't. It also prevents you from forgetting a site's password, then typing in every password you know trying to guess what it was. Another possibility (besides paper) is to store your passwords encrypted on your computer. I haven't looked into this much. Password Safe is one tool for doing this.
How do you pick a really random password?
If a password is required to use characters that are just letters
and numbers, case insensitive, then a character can be chosen by a
pair of dice and the table below. For example, if I roll a 5 and a 2,
I look up "52 z" in the table, which tells me to add the character "z"
to my password. Be careful to shake the dice well between each roll.
Be careful not to sort the numbers before reading them.
11 a 12 b 13 c
14 d 15 e 16 f 21 g 22 h 23 i
24 j 25 k 26 l 31 m 32 n 33 o
34 p 35 q 36 r 41 s 42 t 43 u
44 v 45 w 46 x 51 y 52 z 53 0
54 1 55 2 56 3 61 4 62 5 63 6
64 7 65 8 66 9
If a password is case sensitive and may contain funny characters, well, I recommend avoiding the funny characters. Why? For example: I recently changed my HostSave password to */!@a3'". The password changer accepted that. However, when I tried to log on, it wouldn't let me. It let me ask what my password was, so I asked. */!@a3'", it said. I tried it again and it wouldn't let me log on. So I had to write customer support and have them change my password to something that worked. Their site has changed recently, it's more thorough about explaining its password restrictions, but it still gives no clue why my password didn't work. (Then I switched to PowWeb because they, unlike HostSave, do online spam filtering. Now I only have to download 12 messages a day instead of 300.) (Hostsave should not be able to tell me my password, because they shouldn't be storing it. Yikes. They should store just a hash of my password.)
So. Suppose a password is case sensitive and may contain funny
characters. You can choose the characters, one at a time, by flipping
6 coins per character. Line up the coins before reading them. I
included * and ! because I know HostSave accepts those, but you may
wish to use other funny characters, or even just reflip the coins if
they say to use a funny character.
HHHHHH 0 HHHHHT 1 HHHHTH 2 HHHHTT 3
HHHTHH 4 HHHTHT 5 HHHTTH 6 HHHTTT 7 HHTHHH 8 HHTHHT 9 HHTHTH a HHTHTT b
HHTTHH c HHTTHT d HHTTTH e HHTTTT f HTHHHH g HTHHHT h HTHHTH i HTHHTT j
HTHTHH k HTHTHT l HTHTTH m HTHTTT n HTTHHH o HTTHHT p HTTHTH q HTTHTT r
HTTTHH s HTTTHT t HTTTTH u HTTTTT v THHHHH w THHHHT x THHHTH y THHHTT z
THHTHH A THHTHT B THHTTH C THHTTT D THTHHH E THTHHT F THTHTH G THTHTT H
THTTHH I THTTHT J THTTTH K THTTTT L TTHHHH M TTHHHT N TTHHTH O TTHHTT P
TTHTHH Q TTHTHT R TTHTTH S TTHTTT T TTTHHH U TTTHHT V TTTHTH W TTTHTT X
TTTTHH Y TTTTHT Z TTTTTH * TTTTTT !
How good is your password? This question really is, how long does
an attacker have to work to guess your password? Trying 100,000
passwords (for example all English words and names) takes a few
seconds of computing time. Let's say 1 second per 50,000 passwords.
So guessing a password that is an English word (like "ladybug") can be
done in 2 seconds. Here's a table of how good a random password is:
|length||digits + lowercase letters||digits + lower + upper + two symbols|
|1 character||36||0 seconds||64||0 seconds|
|2 characters||1,296||0 seconds||4,096||0.1 seconds|
|3 characters||46,656||1 second||262,144||5 seconds|
|4 characters||1,679,616||34 second||16,777,216||6 minutes|
|5 characters||60,466,176||20 minutes||1.074x109||5.9 hours|
|6 characters||2.176x109||12 hours||6.872x1010||16 days|
|7 characters||7.836x1010||18 days||4.398x1012||2.78 years|
|8 characters||2.821x1012||2 years||2.815x1014||178 years|
|9 characters||1.016x1014||64 years||1.801x1016||11,416 years|
|10 characters||3.656x1015||2,317 years||1.153x1018||730,678 years|
On the other hand, if you gear your passwords to be breakable in a week, you can break them yourself if you ever have to. Most hackers are willing to take any account, not just yours, and will go on to easier targets if your password takes more than five minutes of computing time to break. Here is a page giving the hacker's perspective on passwords.