It's just the result of reading for a work-related project last week, so still fresh in my mind. All non-brain-dead password systems will use a so-called hash function to secure your password. A good hash function is one that is one-way, i.e. you can't invert the order of operations to find the password from its hash. That said, some hash functions commonly used were not meant to secure passwords, and are too easy to calculate. That means brute-force attempts to guess every possible password can run at high-speed on fast CPUs, on the massively parallel supercomputers-within-our-computers that are called graphics cards, or on cloud services like Amazon web services. Good hash functions are designed to be slow and expensive to calculate, to raise the cost of brute-force, while not imposing too large a burden on legitimate site operators.
No, but you need to start with a realistic assessment of risks. Most of us don't need to worry about the NSA or the Mafia trying to crack our passwords (they have
simpler means to do so). We have to worry about sloppy site security and being caught in the dragnet of automated password guessing.
The first step is to identify which passwords matter and which ones don't. If your RFF account gets hacked, the consequences are less dire than if its's your online banking. It's thus worth less time and effort spent securing. Pick secure passwords (use punctuation, not just alphanumerics, and don't use dictionary words or names). Don't reuse passwords for anything that matters. You should also definitely turn on two-factor authentication on anything that matters (and consider switching to more security-conscious providers if they don't offer 2FA):
https://twofactorauth.org/
One other thing worth mentioning: most sites will allow you to reset a lost password by email. If your email itself is compromised, it doesn't matter how strong your passwords are, and most ISPs or webmail providers have shockingly poor security - their poorly paid and trained customer service reps can easily be fooled ("socially engineered") into giving the keys to your email to a smooth-tongued stranger:
http://krebsonsecurity.com/2014/09/we-take-your-privacy-and-security-seriously/
I was referring to Edward Snowden, of course. He didn't hack the NSA, he just (ab)used privileges he had as a contract sysadmin, and convinced people there to give him their passwords (clearly the NSA didn't use 2FA for internal use, tsk, tsk). If there is one place on Earth that should be paranoid about security, it is the NSA, and the fact they failed at it shows no one is immune. Similar with the RSA SecurID hack - those keys are used by most large corporations to guard access to their IT, and the vendor couldn't even protect its own security, when that is their core business.
That's why I take an extremely jaundiced view of alleged security solutions. When a vendor like AgileBits makes excessively optimistic (i.e. hubristic) claims about the security of its 1Password software, my BS detectors red-line, and I automatically assume they are either liars, or worse so incompetent that they don't realize the extent of their incompetence (the Dunning-Kruger effect). In short: I would not trust either 1Password or LastPass. If you use Mac OS X or iOS, or Google Chrome, or Firefox, you have perfectly decent password-management and sync functionality built-in (at least for non-critical sites like RFF), why would you want to add a third-party vendor making unsubstantiated claims about the security of their solution?
