Troy Hunt analyzes
passwords compromised in the Sony Pictures breach. Now, obviously even the best password in the world isn't going to help you if you're using a site maintained by people too stupid to even hash the fucking thing, but of course you can minimize the damage by only using it once.
And yes, we all know the rules: use a random and unique password for every site you go to, with a mix of caps and lowercase, numbers and symbols. In practice that's a lot easier said than done, and the final line of the post pretty much nails the dilemma: "The only secure password is the one you can’t remember."
There are tools that make the situation easier. APG (Automatic Password Generator) is a command-line tool that generates pseudo-random passwords that are
pronounceable and thus easier to remember, like this example:
BedCyctyiv5 (Bed-Cyct-yiv-FIVE)
OlOdlukteog1 (Ol-Od-luk-te-og-ONE)
Donrikvof2 (Don-rik-vof-TWO)
PobTabIas2 (Pob-Tab-Ias-TWO)
ubNoivoc1 (ub-Noiv-oc-ONE)
kandOjvuec3 (kand-Oj-vuec-THREE)
While
technically it's a much smaller pool of possible passwords than a truly random password, it's still orders of magnitude bigger than an all-lowercase password, even a non-dictionary one; it provides a password that's not going to be found in any
rainbow tables but is easier to remember than something that's completely random.
I'm not sure what the closest Windows equivalent is and a quick Google search doesn't give me enough information to recommend something (given that this is, of course, a situation where you want to make damn sure you get your program from a reputable source). If anyone has any recommendations, please feel free to share with the class.
I fear shit like this is going to get worse and worse in the weeks and months to come. Sooner or later, odds are pretty good that a site you use is going to get cracked. So be sure and use strong, unique passwords to minimize the harm.