How secure should I make my password?

How secure should I make my password?

September 3, 2012 Off By guestauthor
Locked door with rusty padlockThis is a guest post by James Doc.
There has been a lot of noise on various technology websites about large web companies having passwords stolen from databases. Last.fmDropboxLinkedIn, etc all have had issues recently and have encouraged users to sign in and change passwords, some have even reset passwords for users. My confession is that until this happened, my Dropbox and Gmail passwords were both identical, and that password I have used all over the internet since I was about 13.
In light of this I’ve started changing a lot of my passwords! There are lots of online tools for keeping passwords such as Agile Bit’s 1Password, which is highly reviewed, but I don’t like the idea that a single password could unlock all my other passwords. Instead I started from scratch, working out how I would set my passwords. It’s taken a while to implement but I am now using a three tiered structure for setting my passwords:

Level one: I really don’t care…

There aren’t many account that come under this level, however level one is for accounts that I really have little care about. These include newsletter signups that want a password for some reason, or the forums that I post on once in a blue moon.
Because they contain no personal information I am comfortable to use the same password on all of these. The password is all lowercase, and less than 10 characters. While there are 5 trillion (ish) possible combinations of this password, it would only take about 22 minutes to crack*.

Level two: For websites I access regularly

I’m talking about the sites I visit pretty regularly here, things like my social networking pages, my Evernote password, my skype password, things like that. These accounts have got a lot of personal data associated with them and I’m not keen on that getting out.
There passwords need to be secure, but easy to remember. People have got into their minds that a secure password is something like ‘h3Ll0,\/\/oRld’, and while it is secure, it is a right pain to remember**. Instead of worrying about character substitutions, I use a long passwords made up from a memorable phrase that I relate to the service, for example with Facebook I may choose the title and author of one of my favourite books, or may have the name and artist of one of my favourite tracks. This creates an easy to remember password that is different for each site, however a long enough to take a while to crack, for example just ‘harry potter and the goblet of fire’ would take 57 duodecillion years to brute force* (and that is not my Facebook password!).

Level three: Secure accounts

I really don’t want my email, my online banking, my PayPal accounts to be accessed by anyone except me. With the level two accounts if you know me well enough, with enough time, you could probably guess some of them. These passwords always contain a mixture of capitals, numbers and symbols and are always long and always unique.
What do you think? Am I being paranoid? Is there a huge hole in my plan?