Thanks to pre-built software, password cracking keeps getting easier, and many users still don’t care. Even if you have nothing worth stealing, using strong passwords prevents attackers from social engineering to get something that is worth taking. Attackers can glean parts of secret information from different sites, or hints from your Facebook profile, to get something valuable. Sophisticated tools also make it easier to use the simple passwords to crack other passwords. See “Why passwords have never been weaker—and crackers have never been stronger” at Ars Technica and take a look at some of the worst passwords in “10 of the worst passwords exposed by LinkedIn hack.”

Password dumping—public display of encrypted (and later possibly cracked) lists—has become more common allowing both security professionals and thieves learn more about password habits. Thieves may automate re-using your name-password login on other sites. A short list of recent dumps from Ars:

What these dumps reveal is that many users still choose simple passwords, a real word usually with a capital letter at the beginning and ending in a number. Cracking software try this pattern first starting with the most popular. Slightly tougher passwords use a real word with two or more capitals somewhere in the middle broken by a number or two. Better, play the license plate game to make a memorable password.

Tips

  • length should be at least 8 characters
  • use one or more capital letters in the middle
  • use numbers, but not just at the end
  • use at least one symbol if site allows
  • use a password generator
  • never use same password twice

Passwords are easier to remember if you type them every time instead letting your browser remember for you. Also, you may try a secure password organizer to store passwords (and other info) like 1Password available for Mac, iPhone, and iPad.