With everyone from government and world-wide corporations to websites including TechRadar falling foul of industrial hacking attacks, scrutiny of security has never been so high.
If you're still using PASSWORD or 123456 to protect your email, it's time for a radical rethink of your password security.
Recent attacks, such as the one against LinkedIn, highlight how important having a strong password is.
Hackers haven't targeted individual accounts but rather stolen a site's entire password database. This can then be cracked and potentially the hackers have a huge list of users' emails and associated passwords.
If this list hasn't been salted – a process that increases encryption complexity – a short or common password can easily and quickly be cracked via look-up tables and brute-force attacks.
Top 40 best free iPad games
Best iPad case: 38 rated
Best iPad stylus: 5 reviewed
We could explain, but XKCD have already done that very eloquently; basically a long, memorable password is more secure than a short and complex one involving symbols and numbers.
It's kind of contrary to what everyone is told, but the recent LinkedIn database theft had short passwords cracked within days, and modern GPU hash-crackers can pump out a billion hashes a second or more.
This does ignore the issue that the LinkedIn database lacked the salting that would have increased the hash complexity and stopped them being cracked so quickly in the first place.
As a user, there's nothing you can do about your passwords being stolen directly from services and websites. However, you do have a duty to create strong passwords in the first place, along with protecting those passwords and not using duplicate passwords across sites.
Better passwords
As we've already covered, you can try and do all the right things and it's still possible to have your account compromised, be it by sheer bad luck, a weak password or malware like a key logger.
What's left to do?
This is where a one-time password system steps in, more commonly known as two-factor authentication or TFA.
Here, a bank or service provides a second route to prove who you are. Many banks now insist on a keycard that generates a one-time passcode.
Google, PayPal, Blizzard and Facebook provide similar systems, but these systems use a smartphone to generate the code, either locally via an app or delivered in a text message.
An alternative approach is SteamGuard for Steam, which uses your PC's IP address as the second TFA factor, clever old Valve.
While there are scenarios where a TFA system can be circumvented, the window of opportunity is vastly reduced, even if the attacker knows your password.
This technology currently represents the best protection for financially-sensitive services and accounts.
Top tips
Want to boost your password security? Here are our top-five tips for improved passwords.
1. Get Two Factor Authentication
If a service offers TFA, take it. While they're not 100 per cent bullet-proof, TFA systems offer by far the most secure protection. Possible routes of compromise do exist, such as someone ringing you to check the TFA is working, or malware installed intercepting the code.
You might consider, say, Google TFA, to be troublesome, but you can request a 30-day gap for regularly used systems.
Other devices need to be activated with a unique Google-generated password for each app that accesses Google accounts.
You can also eliminate the need for a text message by generating the code locally from the Google Authenticator TFA app.
2. Get a password manager
You don't even need to buy one or install one: Firefox, Chrome and Internet Explorer will all gladly save passwords for your sites.
For added security, Firefox can protect these with a master password from the Security tab in its 'Options' dialogue.
Similarly, Chrome Sync will secure your history via your Google Account login and synchronise passwords across your Chrome-using devices.
If you're looking for a cross-platform, cross-browser manager, we can thoroughly recommend LastPass.com. It's free for desktop use and $1 a month covers all mobile app access on most platforms, plus it's random-password generator means every password you use will be different.
If one miserly dollar a month is too much then try the free open-source KeePass.info; it's excellent, and mobile apps are available, but you'll need to manage the transfers of the vault file yourself.
Even with a password manager we'd still advise you not to store financial account details on it or even your primary email details, as loss of your vault password would open up all of your passwords.
3. Create stronger passwords
Some sites limit password length to 12 characters. Annoying! For ones that don't, www.xkpasswd.net, inspired by the XKCD cartoon, generates long, memorable passwords, and can throw in the curve ball of numbers, characters, capitalisation and padding as you see fit.
4. Verify-only email accounts
Using layers of security is a good way of working.
If you can place separation between 'unimportant' sign-ups - such as that forum you can't mention to your partner - and sensitive services, such as your bank accounts, all the better.
Use an extra email account to register for forums and the like. If these should get hacked or compromised it'll be far harder to trace any password, username or any personal information to anything else that could be more important.
Similarly, consider using personally-identifiable services such as social networks on yet another email account. While perhaps not as sensitive as such, hacked accounts can cause real-life headaches and provide hackers with personally-identifiable details.
5. Ring-fence vital services
Many of these problems come from us being human and succumbing to laziness.
In a way, pretending that we're never going to be lazy doesn't help, but should certainly mitigate this lazy behaviour.
At the absolute minimum, try and ring-fence your behaviour when it comes to vital financial institutes and your primary email. Use unique and complex password for each.
To a degree, many banks have cut-out laziness and enforced TFA solutions, so it's a mute point. Even Google offers TFA for its accounts and you should consider activating this if it's your primary email, as it's your last line of defence.
No comments