Ars:
Why passwords have never been weaker—and crackers have never been strongertl;dr Increasing processing power and a much larger sample size of existing compromised passwords.
tl;dr the tl;dr: Everything that makes a password easier to remember makes it easier to guess.
So what can the average person do to pick a passcode that won't be toppled in a matter of hours? Per Thorsheim, a security advisor who specializes in passwords for a large company headquartered in Norway, said the most important attribute of any passcode is that it be unique to each site.
"For most sites, you have no idea how they store your password," he explained. "If they get breached, you get breached. If your password at that site is unique, you have much less to worry about."
It's also important that a password not already be a part of the corpus of the hundreds of millions of codes already compiled in crackers' word lists, that it be randomly generated by a computer, and that it have a minimum of nine characters to make brute-force cracks infeasible. Since it's not uncommon for people to have dozens of accounts these days, the easiest way to put this advice into practice is to use program such as 1Password or PasswordSafe. Both apps allow users to create long, randomly generated passwords and to store them securely in a cryptographically protected file that's unlocked with a single master password. Using a password manager to change passcodes regularly is also essential.
Given the sophistication of the crackers, anything less simply means your password is trivial to break.
As more and more people carry smartphones, this becomes a more and more feasible way to manage your passwords. Of course, the problem then becomes what happens when you lose your phone -- if the master password is, itself, strong, then you're probably safe, but you just lost all your passwords unless you've got a backup somewhere (which itself represents one more point of failure in your security scheme).
Of course, "What happens if you lose your password?" isn't just about vulnerabilities in YOUR recovery scheme -- it doesn't fucking matter how strong your password is if somebody can just call in and bluff tech support into resetting it, as
Mat Honan recently demonstrated.
The whole scheme is fucking broken, and we need to get off human-generated passwords entirely. In the meantime, at least Google is offering two-factor authentication (is it still two-factor if you're using the same phone to store your password as you're using to receive the one-time key?) -- course, that doesn't protect your Google account from Google.