| In order of importance: 1) Don't use a really bad password like 'password'. This one is the most important because it might allow an attacker to compromise your accounts online--that is without compromising the site itself. 2) Use a different password for each site. This one is important because you don't want a compromise of smallvillelittleleague.org, which stores its passwords in plaintext, to mean that an attacker now has access to your banking accounts. 3) Use 2-factor on high importance / risk websites. 4) Use very strong passwords everywhere (i.e. long randomly generated). If you've done 1-3 above the scenario where having a very strong password over a medium strength password is of concrete benefit is fairly narrow. It requires that the attacker get a website's password hashes, that the hash used be a fairly weak one, but that the website not be totally owned (because if it was then there's no additional benefit to having your site specific password). All IMO of course. |
You can also go the route of using passwords like: