How to make your password secure and harder to crack.

Getting hacked is becoming an Internet rite of passage. Consider 2012 alone: First Zappos was hacked, its customers' passwords and other personal information exposed. Then LinkedIn announced that its users' passwords had been compromised. Then eHarmony. Then Yahoo. More than 30 million users' passwords were stolen. The growing, painful password problem is twofold: Hackers have gotten very good at what they do, with more capable tools than ever, and those tools can work so well because we are still really bad at choosing—and remembering—passwords.

Coming up with a password is a compromise between security and convenience. Very complex passwords are highly secure but difficult to remember. To make them work, users end up in a constant loop of resetting forgotten passwords or relying on writing them down on sticky notes. Simpler passwords are easier for us to remember but all too easy for others to discern. Even if you think your pet's name is rare and choose SenorFluffypants as a password, that information would be easy for an adversary to find on, say, Facebook. Because passwords are annoying and tedious to keep track of, most of us resist changing our obvious passwords, many of which can be found in leaked databases. The top passwords of 2012 remain what they have been for years: password, 123456, and 12345678.

Passwords like those are especially easy to crack, says Peter Theobald of KLG Computer Forensics. "Anyone with a password that can be found in the dictionary, even if it's a minor variation followed by a number, gets found quickly," he says.

It's possible that one or more of your passwords has already been stolen (you can check PwnedList, an online database with more than 966 million compromised passwords on file), but even if it hasn't, relying on weak passwords is a fool's game. Once hackers get into an account, they immediately start searching for any linked or related accounts. Before long, a complete stranger could be wreaking havoc on your social reputation, credit rating, and finances. If you suspect that one of your online accounts has been hacked, immediately change the passwords on any other important account you have; hackers have programs designed to try the cracked password at other sites. Even if you've been smart enough to maintain separate passwords for different accounts, hackers will leverage access to your email to reset passwords for other sites. ("Forgot your password? Have a new one sent to your email account.") But when you do reset passwords, don't repeat mistakes of the past. There are ways to make passwords both secure and memorable. 

It's not all that hard to turn a mediocre password into a great one. All it takes is the addition of some strategically placed numbers and symbols—and a good base word or phrase in the first place (which means saying goodbye to pet names and favorite sayings). Below, we chart a password's journey from weak to strong, showing how long it would take for a commonly used algorithm to crack each version.

Password: Aquarius
Time to Crack: 9.08 Mintues

Password: Aquarius1
Time to Crack: 1.59 Days

Password: Aquar$ius1
Time to Crack: 19.24 Years

Password: Aqu57ar$iu3s
Time to Crack: 17,400,000 Years

What makes a good password? Using upper and lower cases, symbols, and numbers does matter. These tactics increase entropy (a measure of how random and guessable your passwords are), as well as the time it takes for a program to crack your password with brute force. The password ninja, for example, could be cracked by software in just 0.000124 seconds. N!nj4 is an improvement at 2.98 months for an online attack or 0.0782 seconds offline, but those times are probably an overstatement, because hackers are on to our predictable patterns. (You can check your passwords' "crackability" at security firm Gibson Research Corporation's site by clicking Password Haystacks at grc.com.)

To make a password more secure, add those special characters in unpredictable places and increase the length, which is the most important factor in password strength. For example, ninja!!!!!!! (12 characters, with one repeated special character) would take 5.75 hundred million centuries in an online attack and 5.75 centuries offline, despite being all lowercase and lacking numbers. So when picking a password with up to 14 characters allowed, use all 14 characters.

The No. 1 password rule, though, is to use a unique password for each of your log-ins. Brandon Gregg, the senior global investigations manager at Seagate Technology, explains: "A unique password is hard to crack and hard to hack even if it's leaked by one website."

This brings us to another challenge: We use a lot of password-protected online services. It seems like a herculean task to come up with a strong and unique password for each one—and remember them all.

There are two schools of thought on this problem. You can use a password management tool, such as LastPass or KeePass, to generate a long, complex password for each site and remember every one for you, leaving you with only one (hopefully very secure) master password to recall. Or you can use a unique pass phrase for each of your log-ins, avoiding the off-chance that you completely lock yourself out of all of your accounts if you forget the master password.

Using a pass phrase of random words, such as correcthorsebatterystaple (as popularized by the xkcd Web comic) is significantly harder for a computer to guess than something like Tr0ub4dor&3—while also being easy for a human to memorize.

For a pass phrase to be effective, though, it needs to be not only long and memorable, but also difficult to guess by others (even those who know you). That means generating random pass phrases (using a tool like Diceware or the xkcd Password Generator) or picking arbitrary words (as arbitrary as your subconscious allows). You can make a pass phrase even more secure by adding special characters, as in c0rrecthorseb@tterystaplE. To account for the need to have a unique phrase for each site, include a clue to the site name. For example, for Facebook, c0rrecthorsebatterystaplE@zuck; for Gmail, c0rrecthorsebatterystaplE@envelope.
http://www.popularmechanics.com/technology/how-to/computer-security/solving-the-password-problem-14993917?click=main_sr