The New York Times gives advice about the security of passwords:
FOR a pretty strong password, think 10. If your password contains 10 characters, you should be able to sleep well at night — perhaps for 19.24 years.
That’s how long it would take hackers to try every combination of 10 characters, assuming that the password is encrypted and that the hackers have enough computing power to mount a 100-billion-guesses-a-second effort to break the encryption.
But if your user names and passwords are sitting unencrypted on a server, you may not be able to sleep at all if you start contemplating the potential havoc ahead. […]
Hackers would love to get their hands on a complete collection of all of your passwords, like those held at LastPass, a cloud-based password management service. At the instruction of its customers, LastPass stores user names and passwords on its server as each Web site is visited, then fills in everything automatically on subsequent visits.
LastPass reported last month that it had noticed some odd behavior in its network traffic logs and might have suffered an online break-in.
I’ve been a customer of LastPass since last year and felt a twinge of concern upon hearing the news. But my nerves were calmed by the enthusiasm of independent security experts who view LastPass’s security model to be exceptionally well designed. LastPass does not store actual passwords, only the encrypted forms. It does not hold the key to decrypting them — only its users hold that. It doesn’t even store the user’s master LastPass password, the one used to gain access to all the others: this, too, is encrypted before it is sent to the cloud and arrives at LastPass.