The issue is not whether someone has “hacked into your email”; I don’t need your email password to sniff your email traffic being passed in plaintext on a public network.

And as for reusing passwords, I used to do this, but it’s a bad practice. Now I use a password safe. There are many out there, but I use KeePass (keepass.sourceforge.net) – it’s Open Source, highly secure, portable, and cross platform. (The main program is for windows, but there are compatible versions which use the same data file format for Linux and Mac OS X). It includes a built-in password generator, so I generate a new random secure password for each new site and save it in KeePass. I keep KeePass as a portable app on my USB Flash (Thumb) Drive that I keep with me, so I carry it wherever I need it. You use a master password to open up the encrypted password database in KeePass. So I only have to remember one password, and since it’s only one, it can be a strong one.

And when I open it at home, I use a batch file that automatically makes a copy onto my hard drive, so I always have a backup in case my thumb drive gets lost or destroyed (which happened to me once – I accidentally destroyed one).

Use a unique, strong password for every site! It’s a no-brainer if you have the right tools.

So if one of my passwords does get compromised by being sent in plaintext over the network, at least it’s a unique password that has nothing to do with any of my other passwords.

I’m still trying to come up with a solution to sending passwords over email. Really, I just need to finally figure out how to encrypt my email with PGP. That doesn’t solve sites emailing me my password, but I often find I need to send passwords to other people, and that solves that problem.

“I’m no security expert.”

Meaning I’m on security expert, but I’m not afraid to pretend like one on my blog.

And give users equally crappy advice.

Do you have any kettles laying around the house you call black?

http://plaintextshame.com/

e.g.: take the word truck, append the number of letters in the domain name, then the second letter from the domain name capitalized, and then the second from last letter.

for ebay.com, the resultant password would be

truck4Ba

It does not solve the case of a single site’s stupidity, but isolates each site so that even a compromised password can only be used at a single site and anyone knowing one password will have little insight into how to impersonate me elsewhere. And yet, my memorization burden remains fixed.

The last wrinkle is that I use a common password for all sites where my identity is not worthy of great protection, such as a BBS