lowyhong: Hmm to me, better to play safe than be sorry. It's just that I really don't know what to think of Internet and "security" - generally, no matter how much adverts try to convince me on guaranteed security and all that jazz, it seems these two words are seldom synonymous.
Generally in terms of password security for online accounts, as long as it's over 6 characters and not something your 3 closest friends could guess in under 200 tries, then it's going to be secure enough that it's not going to be brute-forced in your lifetime. Choosing a good enough password is only the most basic aspect of keeping your accounts secure, though. You want to be able to remember your password easily so that you don't ever feel the desire to write it down (much more significant security risk than a brute-force attack), keep your machine clean of malware so your passwords don't get captured by keyloggers, watch for at least obvious phishing attacks (e.g. double-check the actual address of the page before entering your password, don't just rely on the appearance), use separate, unique passwords for higher value accounts (e.g. bank accounts), and if a site is stupid enough to use those damn "secret questions" for password recovery don't enter any actual, sensible answers, as things like your mother's maiden name, your first pet, your highschool, etc are all public information that's actually not particularly difficult to dig up. There's certainly no such thing as guaranteed security, but what each of us can do is recognize which security measures we actually have control over, then make sure those are secure enough that the effort involved in defeating those measures far outweighs the actual benefit of it, but then not put so much effort into improving a single security measure that we allow the overall security lapse by ignoring other security measures, or by making things so difficult for ourselves that we then start engaging in poor security practices to get around the unnecessary hurdles that we set up.
