I've accumulated many dozens of usernames and passwords for a wide range of web sites that I visit. I probably wouldn't lose much if anybody discovered one of these, they'd just be able to log into the site and pose as me, which is unlikely to cause me much angst.

Apart from that, I've got a small number of usernames and passwords that I don't want anybody else to discover: for Internet banking and other accounts of a corporate or professional nature (my clients' systems, etc). For these, I've chosen passwords that I thought were more secure: a minimum of 8 characters, with a combination of uppercase and lowercase letters, digits and special characters -- studiously avoiding birthday dates, pets' names, and the like, of course! But generally nothing as complex as, say, "Fgpyyih804423" -- something like that is just too hard to recall easily.

At least I thought they were reasonably secure. But hardware is getting inexorably cheaper each year making "brute force" cracking methods much more available to all and sundry, as well as which cracking algorithms are getting smarter all the time.

Jeff Atwood over at Coding Horror has ruined my day by his brief yet illuminating article on Rainbow Tables and their use by Ophcrack. He starts off with:

The multi-platform password cracker Ophcrack is incredibly fast, he says. How fast? It can crack the password "Fgpyyih804423" in 160 seconds. Most people would consider that password fairly secure. The Microsoft password strength checker rates it "strong". The Geekwisdom password strength meter rates it "mediocre".

It most definitely behoves you to read the remainder of Jeff's article and take heed of it. Enough said!