Basic advice for users

Basic advice for users:

* Password hacking programs can quickly crack weak passwords by brute force search (e.g. trying all possible short passwords, trying variations of words in a dictionary, etc.) Weak passwords include:

• Too short (8 or fewer characters)
• Small alphabet (e.g. only lowercase letters with no uppercase or digits)
• Dictionary words (e.g. "elephant")
• Variations of dictionary words (e.g. simple variants "Elephant1", leet variants "313ph@nt", reversed spelling "tnahpele", etc...)

* Therefore, use longer passwords (at least 12 characters are typically recommended now) with digits, mixed case letters, and not just dictionary words. Use some non-digit non-letter "special characters" if possible. (Alas many websites stupidly disallow it.)

* Use a unique password at each important site (financial websites, primary email website, etc.)

* Preferably use a unique password at every site. This is easier to do than you may think, using one of these techniques:

• Manual password system
• Password generator
• Password manager

This is not just theoretical paranoia. I personally know someone who used the same password for their gmail account and for other websites, and her gmail account got hijacked as a result - not because gmail was insecure, but because one of the many other sites was insecure. And if someone gets access to your email, they probably will quickly know many other sites where you have an account, including your financial sites.

Search in the web and you'll find that this happens very often. Most websites have crappy security, often even storing users' passwords in plain readable text, so even one weak website makes using the same password everywhere very risky, even if it's a very long strong password.