[Wilshire]

So I've read a couple brief things about password strength and found a list of the top 10,000 passwords that account for some 99.8% of all passwords on the internet. Below are some things everyone should know based on what I found.

1. Don't use anything less than 8 characters.
2. Never use single words. Anything that is found in the dictionary is no good.
3. No common names of people, places, books, characters, movies, etc.
4. No Makes or Models of cars
5. No sports teams or mascots
6. Don't do the above and misspell a word, or replace letters with numbers. You aren't helping yourself.

This password checker I found seems to contain the list of 10k that I found. Easy to test how terrible your password is, though I'd probably not put in exactly what your "really good password" is.
https://howsecureismypassword.net/

This comic explains password strength pretty amazingly.
http://xkcd.com/936/

Worth noting that the comic puts 1000 guesses a second. Apparently, unimpressive cracking algorithms and a computer with a mediocre graphics card could do 1billion a second or more. Or at least thats what some places said.So you'll need to do better than correcthorsestaplebattery

[Kellais]

lol...nice one, thx, Wilshire.

Although i do think that a pw with reasonable length and upper case and lower case and numbers is very secure. I mean just consider this:

If you have a 8 "letter pw" that uses numbers and upper and lower case letters, you have 62^8 possible passwords (26 letters and 10 numbers per spot). That's 218 trillion 340 billion 105 million 584 thousand 896 passwords. Not bad.

I am kind of sceptic about the 1 billion guesses a second. For what length of the pw? With how many variables per spot?

[Wilshire]

Not sure exactly, but I'm sure the 10k most common are checked basically instantly. Its the logical first step and takes no time. After that, I have no idea. Maybe the program more or less cycles through all possibilities for each character (a,b,c,d,e....,1,2,3,4). If it doesn't go through, then 2 characters at once (aa,bb,cc). Thats extremely brute force though. I'm sure things slow down exponentially with increased length. Once you get to 8 characters things would start to slow dramatically.... Or thats my guess. I'm not "a computer guy" .


Really though, its comes down to, if someone wants to hack your account, they can do it eventually, but most people aren't worried about a targeted attack like that. Just don't be the low hanging fruit. The 99.8% of people that get "hacked" in 0 seconds be because they are using stupid passwords. Its hardly even hacking at that point.

edit:
Also, most places limit the number of guess per hour/day etc, which probably slows the process down. I'm waiting for SR to swoop in an tell me all the things I've said are wrong.

[Cüréthañ]

Easiest way to get a secure password that you can easily remember is to formulate and use a simple mnemonic algorithm.

e.g. two words (short but different length), with your current age, rounded down by 10 years, split front and back
you get stuff like;
3shoedog0

[Wilshire]

Haha thats pretty good. I'd recommend using bigger words, or picking a third short one, but as the comic above also demonstrated, what you've done is easy to memorize but harder to hack.

[SilentRoamer]

Worth noting that the comic puts 1000 guesses a second. Apparently, unimpressive cracking algorithms and a computer with a mediocre graphics card could do 1billion a second or more. Or at least thats what some places said.So you'll need to do better than correcthorsestaplebattery

8 characters or more, mixed alphanumerical with at least one CAPS and you are pretty secure.

95^8 combinations are required to crack an 8 character password length. 95 possible keys over 8 characters. A good server farm capable of 350 billion attempts a second (on a local network) would still take just under 6 hours to crack any possible password - assuming the password was last in the combination run.

A website like this would not respond to anywhere near enough requests to get close. It would take hours for this site to process a few million requests and the site would most likely take itself offline as part of DDOS response.

TL:DR - Wilshires and Curethans advice is sound but as long as you are 8 letters long, Alphanumeric and not an easy guessable word then you are pretty safe online.

[Garet Jax]

TL:DR - Wilshires and Curethans advice is sound but as long as you are 8 letters long, Alphanumeric and not an easy guessable word then you are pretty safe online.

Unless Silent Roamer wants to get into your accounts...

[Wilshire]

Well that makes me feel a bit better. For the websites that have important information on it, I try to get over 10 characters, with some around 20, that are easy for me to remember.

Even assuming the site could accept all those requests:
6 hours for 8 characters
20 hours for 9 characters
2000 hours for 10 characters
And then you jump to timescales in years/decades/centuries  pretty quickly.

So really, after you get to 8+ characters, you're far more susceptible to get "hacked" because of a security breach, which you can then blame on SR (or whatever website's equivalent).

[Cüréthañ]

Avoid 8 characters, its a common restriction of poorly secured websites (i.e. must be exactly 8 characters). 
Longer is better obv, but a password is useless if you can't remember it.

Point to my tip is to make your own formula to apply to all your passwords.  Short words (<7 characters) are harder to guess, because there are so many of them.  Once you mix short words and number they may as well be all random as far as a code cracking algorythm is concerned.
Another thing I like to do is change out all instances of a two letter combo for a different character combo. e.g. 'er' becomes 'w01', so ErraticWanker becomes w01raticWankw01.