I just received a couple of spam emails from a friend who had had her email account hacked. The hacker sent the spam to everyone on her contact list. Here's what I told her:
First, replace your old password!
Second, choose a password that can't be guessed based on text in your emails!
Third, write down the password. Keep that piece of paper till you remember the password without looking.
A hard-to-guess password
The simplest way to construct such a password is to use two words, the longer the better.
Since you've been recently been hacked, don't use any words that may have appeared in your emails. The hacker may have harvested the emails you wrote, and may use them later to try to guess your new password. For example, pick two places that you have never visited, never plan to visit, and have never talked about visiting. Or pick two names of people you don't know or ever talk about, or two types of plants, or two of something else. Longer words are best.
Once you've picked the two words, pick a digit to go between them. Almost every web site allows passwords to contain a combination of letters and digits.
If the password is too long, discard the extra letters. It's best if the result isn't a real word.
If the password needs to contain both upper- and lower-case letters, change one of the letters to upper case.
If the password requires punctuation (a "special character") as well as letters and digits, pick a special character and stick it in a memorable place.
For many people, the real risk to their computer systems come from remote hackers on the Internet, and not from people in their home, office, or community.
Once you've gone to the trouble to construct a strong password, most people aren't going to memorize it without some practice. By writing it down, you allow yourself to practice remembering it each time you type it in. After a while you'll find that you don't need the piece of paper. At that point you throw it away.
The written password does pose a short term risk. If someone steals your wallet or purse along with your smart phone, they might find the password and exploit it. This is why you need to throw it away eventually.
A good alternative to writing the password(s) down is to buy software like 1Password, Password Safe, and so on. These programs help you construct strong passwords and they provide you with a safe place to store them. I use "1Password" myself, since it works on all my smart phones and desktops. In many cases it will enter the password for me when I enter a web site.
I generally use 1Password's "generate a password" feature to help build my passwords. If I never plan to type in the password myself, then I let it choose a really long, random password. If I'm going to have to type the password myself, then I use it to construct a "starter" password which I then modify or embellish so that it isn't too hard to type and it meets the site's password requirements.
There is no such thing. There are many ways by which a password may be stolen. Some involve cryptanalytic attacks using trial-and-error guessing on lists of words. It is very hard to protect against such an attack, though this type of password protects against the easiest of such attacks.
Often, a password is stolen either from your computer or from the server you visit as you type it in. The most advanced password selection in the world won't protect you from such an attack. Here are the only ways you can protect against such attacks:
Avoiding such things is like avoiding a robbery or other crime: some of it depends on caution and some of it depends on luck. If you're in the wrong place at the wrong time, anything may happen.