Use Passphrases, Not Passwords

Users often have way too much faith in the strength of their passwords. Security advisors have many proven techniques for making strong passwords, but the truth is that they are too hard to use for many users and their effectiveness isn't what it used to be. The answer for many people is to use passphrases instead of passwords. A passphrase is a group of words such as a line from a song or book, as opposed to a password which is a single word. Not every security system lets you use passwords this long or even ones that have embedded spaces. Some e-commerce sites, for example, will only allow you 8-12 character passwords with alphanumeric passwords. But since Windows 2000, Windows has allowed passphrases up to 127 characters.

An attacker, who gained physical access to your computer, or potentially remote access with sufficient privileges, could crack your password. It might take some time, or it might be very fast, depending on the versions of your software and the strength of your password. If you've got a really weak password, like 'Password' then you're in even worse shape. Many of the most widespread Internet worms have built-in dictionaries of common passwords such as this, and once they are running on your system they can attack your computer and others on your network with them. But with a passphrase that is long and complicated, it would take a very long time to crack and would not be subject to many of the easiest methods.