Technology is useless without proper implementation. Pick long passwords. If you want to choose something that’s spelled phoenetically, that’s better than being complicated but short. One of the things that’s wrong with choosing “password” is not that it’s easy to guess, but that it’s only eight characters.
If a black hat is faced with trying to guess n passwords of length 5-10 digits, they can reasonably assume almost all of them are five. Unless the systems they’re attacking requires special characters, that’s 26 lowercase + 26 uppercars + 10 numbers = 62 possible characters/digit.
So let’s take a standard one-way hash algorithm (call it FOO-1). FOO turns any string into a 20-character hash, which is used to sign it, whatever.
To build a database of all possible values of FOO for five character passwords is not hard:
52^5 * 20 = under a gig of data, and a six-character store becomes almost as easy and a seven-character attack well within affordable storage solutions.
Piece of cake. Now a data attack that exposes the hashes becomes quite lucrative: given the hashed values, an attacker then has a good chance of finding the five/six/seven character string that produces that hashed value.
But if you’re a smart user, even weak hash algorithms like FOO protect you with sufficently long passwords. Say you decide to pick “password” for your password and then pad it out with zeros to the maximum allowed by any site (in this case, ten). At ten characters, there’s no way a black hat gets it:
52^10 * 20 = 2.89E + 18.
It’s untenable to store that much data (and okay, so at this point, you’re probably going to argue that FOO, with a 20-byte output, isn’t all that fun, but you get my point). The black hat’s going to pick off the many easy targets and leave the long-passworded guy alone.
Which, of course, raises another intersting dilemma: should ecommerce sites be required to get user passwords of at least n-length and meeting certain standards, in addition to using industry-standard algorithms? Or do users have the right to expose themselves to harm?
Why not just have a system append x number of characters to the end of every password?
The black hats would have to know that information to make it as trivial as it is today to force crack a short password.