© mindfulsecurity.com
Examples:
8 Character Randomized Password: T0u%p@s5 Time to crack: 14 minutes
17 Character Passphrase: rockwell is right Time to crack: 4 Days
26 Character Passphrase: The Country Is Not The Government! Time to crack: centuries
Even with a passphrase take the extra security step and modify it with an algorithm you derive for every site. That way if a site is storing or transmitting passwords in cleartext (both big no-no's but it happens), your password will not be known for all sites.
Example - apple.com starts with "a" the 1st letter in the alphabet, so my passphrase might become: 1The Country Is Not The Government! <- note that I pre-pended number 1 at the start of the passphrase. I'd recommend adding at least 2 characters via your algorithm.
Several readers of my blog post wrote to ask if the NSA doesn't just have an end run around harder passwords for email. In short, they do, but mostly for US-based companies. The largest free email providers, Google, Yahoo!, and Microsoft are known to collaborate with the NSA and/or FBI, which means Hotmail, Yahoo! Mail, and Gmail are insecure despite your best passphrase. Hushmail, once considered a secure alternative, caved to the Feds over alleged drug running taking place via Hushmail accounts. If your 35 character passphrase is the moat to keep the NSA out, Gmail has the key to the backdoor and lets the NSA right in to directly read your email.
The solution is to get an email account hosted outside the US. Here are several paid alternatives: NeoMailBox (Swiss Based), CounterMail (Swedish) MailVault (Norway), and an excellent article discussing the pros and cons of each. If this is too much hassle, at least adopt passphrases to avoid the non-government criminals from taking over your email and other accounts. Imagine the damage a hacker could do with access to monitor, send forged email, then lock you out of your email account. It wouldn't take much effort to get your SSN, address and birthday - from there it's off to the races. "Oh, you need those retirement funds wired where?" If you think this is far fetched, count the number of times a year you get a frantic message from a friend not to open an email because their account was taken over.
Bottom Line: Consider an offshore email, but definitely make your passwords longer by using a passphrase rather than a shorter but "harder" password. Most sites will allow you to enter very long passphrases. Think of the minor investment in time versus the risk of identity theft, account takeover, and the extra time and resources for the government to snoop on you.
But what do most of us have to hide? Isn't that part of the process of 'letting go'? Isn't this opening well reflected in how everyone seems to post so much personal crap on their social media pages? As if anyone really wants to read it, but their real friends? And even they only care for a day or two. Anything that could be 'risky' is just another reflection of the ignorance of the poster, such as how some get put in jail for boasting about some pranck/crime they committed, a practice that's been going on in private forever, only now it gets '15 minutes of fame' on Facebook.
It all seems to affect fear more than anything else. What are most of us posting/blogging that needs these passwords? They won't stop the 'real enemy' will they? Just these bothersome pests in govt. Are we plotting a revolution against the govt? Are we plotting to zombiefy the nation? No, it is the govt doing these things and their fears get reflected in their policies of spying on everyone else who they think, thinks like them. Sounds like Stalin type paranoia.
I say let them read all my crap, I got nothing to hide. It's another example of how jobs are created in an empire, as they become the only ones hiring near the end. From full-time to part-time to no-time, it seems we are only a few steps away and this keeps so many idiots busy and distracted, same as they are trying to do with us. Mirror effect, they see what they want to see. Usually best to stay out of the way and let them implode, but that's not always easy.