It's Time to Remodel Your Password Policy

I’m shocked when I encounter websites that are able to “recover” my existing password and email it to me. First, email is not secure, and any password sent in clear text can easily be lifted, but that’s just part of the problem. Websites should let you reset your lost password (once you verify that you are you) but should not be able to email (or fax, or tell you over the phone) your existing password. You can’t improve the security of the websites you frequent, but you can take steps to help keep your accounts from being compromised.

Make it strong. An eight-character password of only numbers has 100 million possible combinations and can be cracked in seconds. An eight-character password with numbers, letters, upper/lowercase, and special characters has 7.2 quadrillion possible combinations.
Make it long. If your password is “strong,” the total number of characters is the most important factor. An eight-character strong password will take 21/2 months to crack using the same computing power that will crack the five-character version in under 10 seconds.
Insert a string of periods to increase password length.
Use entire phrases. “9GreenCowsEatingToast?” is no harder to type than “9GreCwEtTo?” and is a heck of a lot easier to get right.
Never click “Reset your account here” links. Always use the service’s website itself to initiate account changes.
Use a password vault. It’s unwise to use the same passwords on all your sites, and it’s equally unwise to keep your passwords written on a piece of paper somewhere. Instead, use a “password manager” or “password vault.” A popular commercial version is RoboForm, but equally effective is KeePass, which is open source and totally free.