The problem with using a password that has at least 12 randomized characters is that I will not remember it. I guess I could keep a password file in my file cabinet.

Eight-character passwords are inadequate now ... If eight characters is all you use, and if you restrict your characters to only alphabetic letters, it can be cracked in minutes

This is a bit of a silly comment. Sure a computer could iterate through all possible combinations in that time, but how many could it submit to any reasonable password server? Most lock you out for some time after a few mistakes.

How are we supposed to remember a 12 digit random collection of characters and change it every 3 months. That's near impossible for most people. I would hate to have to add a post-it note to my monitor with my password.

Question: Are sentences safe? Something like 'Iskippedtothestoretobuyicecream' or something. Or do the hacking tools have an easier time cracking words imbedded inside the password? I know if my password exists in a dictionary that is easy to crack. But what about sentences?

My work suggested we build our passwords out of the 1st or 2nd letter of each word in a phrase or sentence and tack a number and symbol on. Example. "I like apple jelly on my wheat toast" becomes ilajomwt3 or iipenyh#

There is a defense against this hack,which involves literally zillions of password guesses in a few seconds. The bank server simply refuses to accept more than 3 or so password attempts to that account without shutting off access for a certain amount of time. That is what happens when you get a message after mistyping your password a couple of times when trying to log on-message that says something like"too many password attempts,access denied until reset".

Don't allow the auto-fill feature on your computer. Never put in your real birthdate. And always log out from a site you like to visit. Do not use the same password for all sites. And change them about once a month or more. This is good advice I have picked up over the years. I always do the first three. I will have to start changing passwords more often and adding more characters.

We may soon all have to get a random password generating device which would work by repeatedly spitting out a random letter or numeral,you would have to generate 12 (or more) random characters in a row,writing each one down until you have a long enough password. Of course you would have to keep written copies of the passwords,the idea is that they would be as impossible to remember or guess as possible. You might be able to get a fake log-on name that is hard to guess,which acts like an extra password.

The risk isn't from a hacker accessing the bank site; it's from someone getting hold of the database. Once they have that, they can make as many attempts as they want to break the encrypted passwords in the database.

This sort of attack presumes an attacker has access to the hashed passwords. That is rarely true these days, so the whole premise is pretty shaky...

"If you have a Trojan that records keystrokes, you screwed," Davis said.

...But I thought you were SUPPOSED to use Trojans when 'you screwed'....

After a recent attack on a local online service resulted in over 40,000 user accounts stolen, and many subsequent identity thefts, I wrote a blog post about a password manager I use called 'LastPass', so my friends and family start protecting themselves. I wrote they could start with 8 character passwords, although I recommend 16, but I should really update it now. In any case the post is very useful, and has detailed how-to texts and videos I made. I'd love for you to check it out and let me know if it was useful:

http://addicted2tech.org/2010/08/14/how-to-protect-your-online-identity-using-lastpass-password-manager/

There's a flip side to this, too; it's the websites. Some websites that you think should be "secure" actually do not let you choose secure passwords. For example, my bank, for some reason I cannot fathom, allows passwords UP TO 8 characters, no special characters allowed. Why? WHY? Why do you force me to make my account less secure than it can be?

with cheap cores, passwords are dead. you can crack even a 12-16 character length in seconds. time for corporations to look at multi-factor and protecting your data - they just don't want to because of the cost. make it an issue with them.

Lots of information going around here. 3 truths to leave you all with:

1. It doesn't matter whether your bank/company/whatever locks you out after 3 failed attempts - the crackers don't use the username/password interface to crack the password, they steal your password hash (kinda like a fingerprint of your password, but not the password itself) and crack IT. (stealing the hash is actually kind of easy in some cases) They can then use the cracked password through the normal interface to access your goodies.

2. Longer is better than more complex. Each additional character effectively doubles the amount of cracking time required to break a password. (e.g. a 13-character password takes twice as long to brute-force as a 12-character password). To contrast, a seven-character password with insane complexity can generally be cracked in less than one day on a single pentium-class computer - even faster (measure in seconds) if precomputed rainbow tables (around 80gb worth) are used. Someone asked about using sentences - that is a nice idea. Feel free to use spaces too. A password like "I love my kitty, she's 4 years old." is orders of magnitude more difficult to crack than "^gJ2)&$". Properly formatted sentences (and paragraphs!) also have reasonable complexity, uppercase, lowercase, some symbols, an occasional number, etc. For even greater security, you can also intentionally mis-spell words.

3. If you are ultra-paranoid, consider using characters from the ASCII or Unicode character sets. This is like doing password complexity on steroids. If your adversary only has to try passwords with characters from a set of around 110 possible characters, the job is possible. If your adversary has to try passwords from a list of 65,536 possible characters, the job is near impossible - especially if it's a long password. The downside to this is that most websites can't handle passwords with these characters. The OS you are running on probably can.

If you would like to have unique passwords for every website, but don't have android-like memory, consider using PasswordSafe. (http://www.schneier.com/passsafe.html)