Password is an important part of keeping safe you personal data and money which are accessible from the Web.
Generating of a password that is both memorable and strong is not easy. This is why some people use very primitive passwords and sometimes are sorry about that.
The passwords can be strengthened even further by adding numbers into the mix. Or even type an entire short sentence, typos and numbers included. Studies by the experts have shown that roughly 80 per cent of Internet users fail to take these steps and instead use terms that are simple to crack by guessing or using technological tools.
Recommendations for users:
1. Choose a strong password for sites you care for the privacy of the information you store. You can take a sentence and turn it into a password. Something like “I sent message to my best friend on 24” might become "IsM2mbfo24". This type of password is neither easy to guess nor is found in the dictionary, say experts. Those two factors make the password harder to crack. That ten-character password won't be in anyone's dictionary.
NASA provides the following recommendations for strong password selection.
a) It should contain at least eight characters.
b) It should contain a mix of four different types of characters – upper case letters, lower case letters, numbers, and special characters such as !@#$%^&*,;"
c) If there is only one letter or special character, it should not be either the first or last character in the password. d) It should not be a name, a slang word, or any word in the dictionary.
e) It should not include any part of your name or your e-mail address.
2. Use a different password for all sites – even for the ones where privacy isn't an issue. If you can't remember your passwords, write them down and put the paper in your wallet. But just write the sentence – or better yet – a hint that will help you remember your sentence. 3. Never trust a 3rd party with your important passwords (web-mail, banking, medical etc.)
3. Do not let your browser (all types of browsers) remember passwords, when entering your personal web-resources. This is direct way information will be stolen by malicious software (worms) which could penetrate into your computer. It would be much better to create a text file with common name and keep your logins and passwords there. It is practically impossible for a spy-ware to guess which files contain sensible information, unless malicious spy-ware will completely stole information from your computer.
4. Purchase and install good antiviral software on your computer.
Recommendations for administrators:
1. Enforce strong password policy – if you give the users a choice, it is very likely that they would choose weak passwords.
2. Make sure passwords are not transmitted in clear text. Always use HTTPS on login.
3. Make sure passwords are not kept in clear text. Always digest password before storing to DB.
4. Use aggressive anti-brute force mechanisms to detect and mitigate brute force attacks on login credentials. Make these attacks too slowly for any practical purposes even for shorter passwords. You should actively put obstacles in the way of a brute-force attacker – such as CAPTCHAs, computational challenges, etc.
5. Employ a password change policy. Trigger the policy either by time or when suspicion for a compromise arises. 6. Allow and encourage pass-phrases instead of passwords. Although sentences may be longer, they may be easier to remember. With added characters, they become more difficult to break.
And finally, here are 20 passwords you should never use
1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123
11. Nicole
12. Daniel
13. babygirl
14. monkey
15. Jessica
16. Lovely
17. michael
18. Ashley
19. 654321
20. Qwerty
Source: http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdf