First, a quick primer on what a secure password really is.

A password like "F442lc!#e4ty" is not inherently more secure than something like "l4nysTvl1ru13z". The second password actually has a distinct advantage in that you can most likely remember it.

Passwords should be easy to remember, but hard to guess. Don't use single words with numbers at the end as passwords, like "computer96" or even "Comput3r96" -- Common words with number<->letter substitutions and all conceivable numbers at the end, middle or beginning have already been calculated, and put into something that hackers and security researchers call "rainbow tables" --http://en.wikipedia.org/wiki/Rainbow_table -- A large text file containing both a list of easy to guess passwords along with common password hashes (used for server side password encryption), so if someone compromises the Lanys forums and they get a copy of the username/password database, all they have to do is to take the list of encrypted passwords and compare against the rainbow table.

Forum software (and many other backend programs like shopping carts and online banking) get around this by using either a) a password algorithm developed in house and not revealed via their programming, or b) using something called a "salt", which they append to your password before running through a hashing algorithm.

To create more secure passwords, you can string together four words that have nothing in common -- for example "globemotoroceancloud" or "correcthorsebatterystaple" ( http://xkcd.com/936/ )

-------------------------

A better option, and the one I use, is to use an encrypted password file. I use Keepass ( http://keepass.info/ )

This program creates a single file, protected by a single phrase (make it something hard to guess, as above, but something you can remember). Once you create/open the file, you can create random passwords of any length, containing any combination of characters you like. You can then, without actually exposing the password to yourself, copy and paste this password into login fields for any website or application. I use this to generate passwords for my email, bill payments and online banking sites, along with any other account with sensitive information like Amazon, Newegg or even battle.net

-------------------------

If you have the option for two factor authentication (example: a battle.net authenticator token/smartphone program), then you should definitely take advantage of it. Except in exceedingly rare cases where the entire backend is compromised (see the RSA hack from earlier this year), two factor authentication is completely unbreakable. Many banks now offer tokens to allow for two factor authentication to be used to secure your bank accounts. Blizzard and Trion offer tokens and smartphone programs to do two factor for WoW/SC2 and Rift (and Bioware/EA are shipping a token with the SW:TOR CE, I'm not sure about the standard edition)

Even GMail supports two factor authentication via smartphone app (Android and iPhone, not sure about other smartphones)

-------------------------

You should also always have completely up to date antivirus software. If you run Windows XP, Vista or 7, then I highly recommend Microsoft Security Essentials. It is a very well done (and free) antivirus program. I can no longer in good conscience recommend AVG as a free solution as they have had some nasty QA problems with their stuff in recent months.

For paid solutions, Kapersky, Avira or NOD32 are good options. Norton and McAfee are also "okay", but I consider them to be too expensive for what they provide relative to the three cheaper options I listed first.

_________________

World of Warcraft: Kallaystra, Gweila, Steakumn, Tarathia [ Feathermoon/Horde ]

Great tips, thanks.

Curious about one thing though, and would be interested in your take on it. Copy/pasting passwords seems like a really common tactic from what I've heard around forums and amongst friends... I find it concerning because I've heard a few stories about trojans and other hacks that were able to grab the clipboard easily enough and get the password when you copy/paste.

Another idea that seems more effective is to find a program where you point and click your password. At the very least, the hacker would need to know the specific mouse coords assuming they were logged somehow. I've known a few people who use this method as well.

Totally agree with the two-factor key though; Seems nearly foolproof(assuming someone doesn't find out the algorithms using the time stamps, I'm guessing).

It's easier to hijack a program that hooks into the mouse click API than it is to steal info from the clipboard, and Keepass clears the clipboard of all data after it detects a paste.

_________________

World of Warcraft: Kallaystra, Gweila, Steakumn, Tarathia [ Feathermoon/Horde ]

Linked to in my post Tran.

_________________

World of Warcraft: Kallaystra, Gweila, Steakumn, Tarathia [ Feathermoon/Horde ]

The full top 25 list of the worst online passwords, according to SplashData:

password
123456
12345678
qwerty
abc123
monkey
1234567
letmein
trustno1
dragon
baseball
111111
iloveyou
master
sunshine
ashley
bailey
passw0rd
shadow
123123
654321
superman
qazwsx
michael
Football

_________________
Jake Rivers - Senex Legio
Get off my Lawn alliance

Dammit! So it is. It's brilliant.

Lots of those are 8 characters or fewer as well; that's trivial to brute force. There are statistical engines that can cut guessing time in half. People are just more likely to pick certain letters, numbers, and symbols over others. It's spooky but it works.

Login attempt limits keep folks with shitty passwords semi-safe, but when you hear about a database being stolen or a hashdump it's a big deal. Even a good password should be changed when that happens.

Gmail has pretty strong two-factor authentication now and is great to use as a registration address for sites.

Your login ID is also part of your password. Protect it. Don't use a character name. That's why they let you choose a forum name separate from your account name.

Also, the holidays are coming up. If you feel the urge to open up the latest trojaned turkey catapult or elf punching game you got passed on email... don't. Or at least do it in a virtual machine.

That virtual machine thing is total illusion. Stolen information remains stolen when you wipe the VM.

True, so don't access anything important after punting unicorns in the VM. Just shut it down or reboot the ISO. The internet AIDS remains contained to that session.

Non-persistent virtual machines are an advanced topic outside of the scope of my original post. I use them semi-religiously myself.

_________________

World of Warcraft: Kallaystra, Gweila, Steakumn, Tarathia [ Feathermoon/Horde ]

I've recently stopped using Keepass and have moved on to Dashlane, because it removes the necessity of having to keep my database file updated via Dropbox, and supports two factor authentication.

_________________

World of Warcraft: Kallaystra, Gweila, Steakumn, Tarathia [ Feathermoon/Horde ]