No AIBU, clearly here for traffic.
This thread might be good for people to share/learn about good password strategy on the Internet. I know that I have zero strategy and get by a collection of auto-inserts, failed attempts, "Forgotten password" buttons and so on.
From another thread, posted by Puntastic
I know a bit about this stuff, and I suggest the following: forget all the standard password advice. It sucks. Do this instead:
- Install good security software AND KEEP IT PATCHED. This is the single most important thing you can do to protect yourself online. And when you get those boxes popping up saying "Er, I think this website is a bit dodgy actually", don't just ignore them and click through anyway!
- Don't create passwords by doing simple number/character substitutions, and don't use a simple scheme such as password = username+sitename, maybe with a 1 on the end, and increasing the number by 1 every time you have to change it. These are all strategies that attackers are very well aware of, so they don't really protect you at all.
Instead, try a password generation scheme such as sticking three random words together - this is reasonably memorable but (as long as the words aren't obviously linked eg cat-sat-mat) not straightforward to guess.
- Don't worry about making a password strong enough to withstand a brute force attack - this is effectively almost impossible these days, due to the wide availability of cheap computing power, and brute force is not even the most significant attack vector - as we've seen here, stealing credentials via phishing or malware is far more prevalent and with those, password strength doesn't make a blind bit of difference.
- Do not re use passwords between systems/websites you care about. Sure, use a single, weak password for sites you don't care about eg one where you just go to buy one thing then never return to, or which don't protect valuable personal information. Because if that one does get nobbled, you don't need to care. Put your effort into making sure the info you DO care about is better protected.
- Writing passwords down isn't the worst thing in the world, and is probably inevitable for passwords you don't use regularly - most people just can't retain these in memory no matter how hard they try. Writing them on a bit of paper and then protecting that paper accordingly is a reasonable way of doing this. Alternatively, there are loads of software password managers available so you could use one of those - just bear in mind that these will have weaknesses, just the same as any other piece of software, and attackers will attack them if they can.