Why passwords have never been weaker—and crackers have never been stronger.
Ars weighs in on the amazing advances the bad guys have made in password cracking over the last few years. Think you know how to choose something that's safe? The probability is quite high that you don't, even if you're technically ept.
I suggest just reading the whole thing, but in summary: in early password cracking attempts, hackers were using electronic versions of paper dictionaries to generate guesses, along with numbers and punctuation in ways they thought might work. Over the last few years, however, because of the many large compromises and the massive bodies of leaked passwords that have been released online, they're no longer stuck with a theoretical
corpus of possible passwords. Now, they have hundreds of millions of actual
passwords, ones that have been used in the wild. As it turns out, whatever system you use to generate passwords, if it's not random, someone out there is almost certainly using something similar, and it can probably be attacked. And the crackers have now access to previously unthinkable levels of computing power.
It has now gotten to the point that you need (at least) ten character, truly random passwords, unique to each site. If you use any kind of pattern at all, someone out there has probably used it on a hacked site, and the bad guys know about it. If a hash of your password escapes, at least with present engineering practices by many major sites, there seems to be about a 90% probability that it will be successfully guessed.
tl;dr version: never
re-use a password. Always use at least ten characters. Unless you have an extraordinarily good memory, the implication is that you will need mechanical help, both to randomly generate, and then to manage, these passphrases. And remember that your keystore password, whether you use a cloud service or a local program, needs to be the very best one you have.