Computer Security - Passwords

• DO use a password manager. Password managers are small databases designed to help you manage the deluge of passwords needed to navigate your computer, network, and Internet needs. I like LastPassword but also 1Password, Clipperz, and RoboForm are well regarded.
   
• DO change passwords frequently. I change mine every 3-6 months, or whenever I sign in to a site I haven't visited in long time. Don't reuse old passwords. Password managers can assign expiration dates to your passwords and remind you when the passwords are about to expire. 
  
  
• DO use pass phrases instead of passwords. They should be easy to remember, but difficult for other people to guess. To create a pass phrase, take a sentence (or a line from a song, etc.) and then replace some of the letters with numbers and special characters. You should also use some capital letters or special characters. For example, the phrase "I love the Beatles” can be translated to "IlovetheBe@tles”.
  
  
• DO keep your passwords secret. Putting them into a file on your computer, e-mailing them to others, or writing them on a piece of paper in your desk is tantamount to giving them away. If you must allow someone else access to an account, create a temporary password just for them and then change it back immediately afterward. No matter how much you may trust your friends or colleagues, you can't trust their computers. If they need ongoing access, consider creating a separate account with limited privileges for them to use. 
  
  
• DON'T use passwords comprised of dictionary words, birthdays, family and pet names, addresses, or any other personal information. Don't use repeat characters such as 111 or sequences like abc, qwerty, or 123 in any part of your password.
   
• DON'T use the same password for different sites. Otherwise, someone who culls your Facebook or Twitter password in a phishing exploit could, for example, access your bank account. 
  
  
• DON'T allow your computer to automatically sign in on boot-up and thus use any automatic e-mail, chat, or browser sign-ins. Avoid using the same Windows sign-in password on two different computers.
  
  
• DON'T use the "remember me" or automatic sign-in option available on many Web sites. Keep sign-ins under the control of your password manager instead.
  
  
• DON'T enter passwords on a computer you don't control -- such as a friend's computer -- because you don't know what spyware or keyloggers might be on that machine.
  
  
• DON'T access password-protected accounts over open Wi-Fi networks -- or any other network you don't trust -- unless the site is secured via https. Use a VPN if you travel a lot. (See Ian "Gizmo" Richards' Dec. 11, 2008, Best Software column, "Connect safely over open Wi-Fi networks," for Wi-Fi security tips.) 
  
  
• DON'T enter a password or even your account name in any Web page you access via an e-mail link. These are most likely phishing scams. Instead, enter the normal URL for that site directly into your browser, and proceed to the page in question from there.

http://www.symantec.com/connect/articles/simplest-security-guide-better-password-practices

http://www.wired.com/politics/security/commentary/securitymatters/2007/01/72458