You also have to realize that the complexity of your password doesn't really matter. Why? Because hackers these days get the passwords through other methods (ie. stealing the database and cracking the passwords).

The only real thing a complex password protects you from is bruteforce attack. Bruteforce attack only works if your password is insanely simple or the webserver doesn't ban your ip after 3-4 failed login attempts.

Now I am not saying that your rules are bad. They are good rules to follow. What I am saying is that people need to take more precautions than just making a complex password and thinking they are safe. You need to make it so that even IF a hacker gets into your account that they can't do much damage and that you always have the upper hand.

1.  Do not use mt.gox
2.  Do not use mt.gox

Yea web server security is 100x more important.

You could have the most complex password ever, but if the website is not secure then your screwed.

Ideally, using a different salt for each password is good - but storing the salt in plaintext inside the database defeats the purpose (only means that attackers can't rely on pre generated hash databases).

At the bare minimum, they could've salted the passwords inside the source code and only stored the resulting hash to the database.

So that, password "12345" becomes "12345lkj3409ruflk30rjfsldk4lkljflkj234%%#$4324", which is then hashed and stored in plaintext.

This simple step would've prevented the entire MtGox issue that we've seen yesterday.

Not entirely true, as the recent issue confirms. If an attacker gets access to a list of password hashes, the complexity of the password is a huge factor in how long it takes to determine your password.

This actually isn't true, though one might think so. See new reasearch by Steve Gibson: https://www.grc.com/haystack.htm

Here is what I use to keep my passwords safe.

1) KeyPass and KeypassX:  I have it on my Windows systems, Linux Systems and my Android phone.  The database can be synced and used by all 3 Operating Systems.

2) Every site I visit has a randomly generated password using the maximum amount of characters and symbols the site would let me use.

3) Master passwords I use for the databases are a place in the world and I memorize the latitude and longitude to create my master password.  I use Google maps to find the latitude and longitude and I do not click on the most obvious place at the location.

For Example:

If I want to use the Eiffel Tower for my password at 48.8583N, 02.2945E my password would be similar to this.  I never capitalize the first letter but some letter in the middle.  I also replace some of the letters with leet speak.  Now if I need my password before I memorize it I can just think of the Eiffel Tower and then use that to remember my master passwords.

3iff3lt0W3r488583N022945E

GRC rates the above password 2.09 trillion trillion centuries to break.

-Dukejer

No matter how complex your password is, it can still be easily hacked if the attackers gain access to the database. A much more secure way to login that I wish more sites would implement is Gmail's two-step verification process, where you must enter your password and enter a verification code sent to your phone in order to login. I think that the time where a complicated password that would be impossible to brute force being sufficient has passed. Newer, multiple-step verification processes are necessary. Maybe MtGox can consider implementing something like that. It would sure make their users feel safer.

This is not true. A properly hashed strong password would take millions of trillions of trillions of trillions of trillions of trillions centuries to break even with the most ridiculous hashing cluster you can imagine. See the link in foo's post above.

Even the Unix MD5 crypt scheme is really strong as long as you stay away from dictionary words and make sure the "search space" is large enough.

Also, once an attacker has gained access to a database, the game is pretty much over, and the passwords are only a nice bonus...

Does anyone use PasswordMaker ?

https://addons.mozilla.org/en-us/firefox/addon/passwordmaker/

I'm thinking of using this system.