Hello everyone. Let me chime in on the whole password security thing. I'm currently studying in computer science at one of the top universities in Canada, but since this is primarily a car forum, I will try to keep my epxlanations simple.
One constant mistake I see I.T. people doing is to ask for strong passwords by means of complexity (having a whole bunch of nonsensesical special characters and randomly generated garbage that is impossible to remember) rather than asking for a strong password by means of entropy (having a long password, but one that is easy to remember for humans). Let me explain why complexity is irrelevant, and why entropy is what actually makes a strong password. For that, we need to understand the 2 methods of finding a user's correct password in order to log into his account.
The first method is called a rainbow table attack, and all you need to know about this method is that it doesn't work.
The second method is just good old bruteforcing, try combinations of letters (and numbers and special characters) until you find one that works. So why is complexity irrelevant? Because in bruteforce attacks, special characters are also tried, and while for humans it may seem impossible to guess a password with a special character, for a computer trying to bruteforce its way into an account, special characters and number aren't what's going to save it. To understand why, you only need to know very basic math, but it's all about them exponential numbers!
So, the alphabet has 26 lowercase characters, if we include the uppercase characters, we have 52 possible characters that can make up one character in your password. Now let's add the 9 digits, so we are at 61, and let's round that number up to a generous 70, to include the typically allowed special characters. Like @#$ or whatever. I'll use rather small numbers from now, just to demonstrate my point. Suppose you ask your user to have a random password of 6 characters total, that gives a total possible amount of combinations of 70 * 70 * 70 * 70 * 70 * 70, or simply 70^6 which is equal to 117649000000 combinations, and suppose the attacker could manage to try 1000 attempts per second (this seems like a large number, but given no other security measures, it could be much higher), it would take 3.73 years to guess that passowrd. Now that seems satisfactory, but like I said, it could take much less time. Now let's see what happens when you just make yourself a long but simple password, that is easy to remember. Let's say your password is: MercedesAreBetterThanBMWs which has 25 characters. The possible amount of combinations for a 25 character long, only alphabetical password, is 52^25, which is about 7.945 * 10^42 (if you haven't seen this notation before, it's called scientific notation). To bruteforce that at our previous rate of 1000 attempts per second, it would take 2.52 * 10 ^ 32 years. In other words, it will not happen. Just to give you an idea of how long that is, 1 * 10 ^ 9 is a billion years.
Simply put, stop this complexity nonsense. If a forum requires you to use a special character and a number, just put it in some really simple combination, like 3#. Make your passwords long, but easy to remember. I could name at least 5 other ways an attacker could break into an account, some of which requires the user to take special care, others require that the I.T. crew running the servers take special care. And in none of these cases does a complex password help, but in at least one of these, a long but simple password would.