1. Half of the passwords are less than eight characters long, the minimum length one should even consider when choosing a strong password. The longer a password the better, yet 93% of all the passwords analyzed were between six and ten characters long.
2. A strong password also makes use at least three of the four character types available on your keyboard: numbers, uppercase letters, lowercase letters, and symbols like punctuation. Only four percent of the passwords analyzed did this. The vast majority only used one character type, such as all lowercase letters or all numbers.
3. Randomness is also key to password strength. That means using something like “qp}Edhg!13evTOI” rather than “JustinBieberRocks”. So it’s interesting that over a third of the passwords analyzed could be found in a common password dictionary. The most frequent passwords use included: seinfeld, password, 123456, purple, princess, maggie, peanut, shadow, ginger, michael, buster, sunshine, tigger, cookie, george, summer, taylor, bosco, abc123, ashley, and bailey.
4. Finally, if there’s one thing you should do to protect yourself from the possibility that one of your trusted sites is breached, it’s to never use the same password at two different websites. That way, if one of your user accounts is compromised, it won’t affect any other account. To test password uniqueness, Hunt compared the Sony data to a database of Gawker usernames and passwords, which were hacked and released late last year. He found that of those accounts that used the same email address on both sites, 67% used the same password on both systems.
I use http://lastpass.com to generate unique, random strong passwords for each site I use, and then protect all of them with a very strong 20-character random master password which I’ve memorized. I’ve also heard good things about 1Password.
If you do use an online password manager like 1Password or LastPass, make sure it is “zero-knowledge” – that means your master password is never transmitted to their site in any form. Instead, your encrypted passwords are downloaded onto your computer and then decrypted locally. That way even if someone breaks into the password manager site, they still can’t access your passwords.