Bitcoin Forum

Hi everyone,

This serves as another lesson to make your brain wallets silly hard to hack.

My Brain wallet, in the form of example123example123example123 (example123 was my bitcoin talk password,) was hacked resulting in the loss of 12btc I had freshly put in there. Before I noticed it was hacked I sent another 7btc there and luckily got it out before the hacker did.

This was my brain wallet 17z2uppQS9fyag5KtbQ6KNiCBrNSL1z64r

This is the Hackers wallet, with the funds in it at the time of writing 153h8BH61rQgfyujZjJqjQNSsRK2Hsaf3A


The community might take interest in this address as the hackers of bitcoin talk are prime suspects.

Its crazy, is this guy lucky or is it really that easy to hack brain wallets??

Take care!

And how he found that this address is yours?

Sorry to hear that.
I don't understand exactly how that happened to you, what information did you have on your bitcointalk account that helped them hack your brain wallet?

It is the number one reason why bitcoin hasn't taken off as we all hope, security is much harder to perfect than almost everyone thinks

He must have hacked my bitcoin talk password, like most of us, and tried many combinations to produce my private key.


I received an email from bitcoin talk that the hacker who brought bitcoin talk for a few days could have stolen my password hash amongst other things. This same password in the form of 'passwordpasswordpassword' was my brain wallet. Its a pretty random password, I dont believe it was brute force hacked. Im really baffled, I think it must have been the bitcoin talk hacker targeting me. There is also a chance it was bitaddress.org that was compromised but Ive never had that trouble before.

That sucks, I hope you didn't have all of your bitcoin in that one wallet, though obviously 12 bitcoin is a hell of a lot to lose anyway

Bitcointalk should probably use 2fa to protect the users, I can't see much reason not to offer it at least.

You used the live version of bitaddress or did you download the github repository and created your address from that?
Also, did you scan your PC for keyloggers, trojans, etc?

Even bank-, governement- massive shop sites and systems are not safe.
Let me remind you nasa, fbi and cia has been victim as well.
Yes its often a small gap, but they seem allways find that small fail in the systems.
Nothing is absolute safe against these attacks.
Its for most people too much to stay safe small mistakes by any person using your system can make a big hole in your security.
Some girlfriend of my wife was a real facebook lover and opened up all kinda sites and never refused any of the java and adobe stuff, its obvious that my system got infiltrated.
So even though some are trying to make it hard to get hacked, a friend or girlfriend could easily make the same mistake.
I have huge problems to get people to use different passes on different sites and programs, they simply refuse because they can not remember more than 2 passwords.....
Even today i noticed a group of workers who shared the system passes freely, everywhere stickers with the passwords from all of them.
Its time we find better ways to secure our programs/sites whatever from these problems.
I was hoping biometrics would solve alot, but i found even these have flaws and sometimes am worse than having passwords.


 

You used the live version of bitaddress or did you download the github repository and created your address from that?
Also, did you scan your PC for keyloggers, trojans, etc?
[/quote]

I used the live version of bitaddress. Im not very computer savy, I dont know how to tell if I have key loggers on my computer. I am using Ubuntu 14.04, be that as it may. Ive never had trouble on linux (except possibly this occasion)


Its wasnt too much of my total btc worth, but plenty enough to make me cringe.  >:( I was thinking of buying a new laptop but Im not feeling that rich any more.

Sorry to hear that..  >:(

May I ask how many characters your bitcointalk password was ? I'll use X.

So the attack 'could' have been :

1) Hack bitcointalk and download the hash of all the passwords.

2) Check password hashes against known hashes in rainbow tables and then brute force all combinations up to X letters still missing.

3) If you find a valid password/hash combo try it in brainwallet and see if the address exists. Try many combinations of the password, including stringing multiple copies together. Maybe billions.

4) Empty any funds found.

..

Very harsh my friend.

I use a brainwallet too, but the password is VERY loonnggg.. (over 200 characters symbols/number/characters etc..). not repeated strings. never used in part or in full anywhere else. ever...


..GRUDDDAMMM HACCKKKERRSSS@!!!@£$!
 

The hacker could be the one that hacked bitcointalk because most of our password are compromised and I dont see many people claim that they lost their account because of the server compromised. It seems like his target is this, to hack the brain wallet of the bitcoin address that may have the same password with bitcointalk password

lesson to learn dont use

example123example123example123example123

if anything
3x4mp731233x4mp731233x4mp731233x4mp731233x4mp731233x4mp731233x4mp731233x4mp7312 33x4mp731233x4mp731233x4mp731233x4mp73123
3x4mp731233x4mp731233x4mp731233x4mp731233x4mp731233x4mp731233x4mp731233x4mp7312 33x4mp731233x4mp731233x4mp731233x4mp73123

use really long passphrases and not with dictionary words spelled out exactly as found in the dictionary.

if its not atleast 50 characters long, you might aswell say goodbye to it within a couple months

if only websites had some common sense and not store clear-text passwords..

all passwords should be hashes of a password that is converted at login but the cleartext is never stored.

I used the live version of bitaddress. Im not very computer savy, I dont know how to tell if I have key loggers on my computer. I am using Ubuntu 14.04, be that as it may. Ive never had trouble on linux (except possibly this occasion)


Its wasnt too much of my total btc worth, but plenty enough to make me cringe.  >:( I was thinking of buying a new laptop but Im not feeling that rich any more.

[/quote]

I think it is wise to run a good antivirus progrm. I would try hit man pro. It has a 30 day free trial for its full version
 in addition, install hit man pro alert, which monitors and blocks any suspicious browser activity. (I think it blocks stuff like browser hijackers etc).

Perfect example why everyone should change their passwords on all platforms if they were the same as their bitcointalk one.

@OP I have one more question:

Did you not change your forum password after the hack?
Theymos made it clear that it is better to change your password to be on the safe side.

I did change my password asap after the hack.

Some website has this feature but I think at bitcointalk, this is not the way they store our password. Because of the server compromised, alot of old VIP account that never posted come back to post . I think this make sense this is the hacker target because if he hack a usual account , theymos can easily restore it back. I guess the hacker hit a jackpot

Isn't this what BitcoinTalk did though? Passwords were never stored in plaintext but were instead stored in cryptographic hashes. Had this not been the case, there would be far more compromised accounts than what we're seeing right now:


Link: http://themerkle.com/psa/bitcointalk-server-compromised-due-to-a-social-engineering-attack/


Link: http://letstalkbitcoin.com/forum/post/bitcointalk-hacked

An older article:


http://siliconangle.com/blog/2011/09/12/forum-user-passwords-possibly-stolen-in-bitcointalk-org-bill-cosby-hack/

After the forum hack or your wallet hack?
If it was after the forum hack, then why didn't you change your wallet password as well?

to use or not to use brain wallet I think is a careful choice you need brainpower to make.

Well, silly me, I should have changed it. But having received that email saying the hacker probably only had a hash of my password I thought it would be fine since the brain wallet was furthermore in the form of passwordpasswordpassword. The address was emptied just hours after I deposited the funds. I had deposited 0.1btc beforehand without trouble. spooky.

When generating a brain wallet, you MUST use something like DICEWARE and have at least 96 bits of entropy. Only then will you be "safe".

Your password had very low entropy - it was just a matter of time. Repeating words in patterns does NOTHING against an attack.

Password123 and the same repeated 10x is worthless.

I am sorry you lost so much bitcoins, but you should have immediately changed your brainwallet after the site went offline.

After all cracking brain wallets is easy if you have a the right "dictionary". Let's say the hacker managed to crack 50% of all easy to crack bitcointalk passwords and put them in his "dictionary". Then he tried different possibilities of all the passwords:

cracked: password
try: passwordpwassword, PASSWORDPASSWORD, passwordpasswordpassword, passwordpasswordpasswordpassword, password1password2password3, etc.


I am sure you are not the only one who lost some bitcoins this way.

Don't use the same password twice. Don't use a similar passwords.

I know that Password123 is literally worthless, but are you saying that a stronger password such as YankeeDoodle123 is useless too? surely a password like YankeeDoodle123YankeeDoodle123YankeeDoodle123 would be very unlikely to be hacked?? and three times the password would mean at least 3x the difficulty to hack no? if hackers need to combine every password in multiples of three they must be doing 3x the work (which is already a lot in the case of YankeeDoodle123!?)

I have a still unhacked brainwallet that I created back in 2012 using "my own brain" so I think MUST in regards to DICEWARE or the like is overstating things a tad (recommended might be a more reasonable way to put it).


That of course depends upon the method being used to brute force your password but very simple patterns such as repeating once or twice are not going to help much (as presumably was the case here).

Thanks.

I guess this must have been the case, although it still seems so unlikely to me that people would even try this while there are so many possible combinations of passwords.

Can I ask why you used bitaddress.org to create an address instead of creating one in Bitcoin Core?

Also, it doesn't seem like the usual brainwallet hack.
So it must either be that your PC is compromised, bitaddress is compromised or the forum hacker(s).

I lean towards the first case scenario.

i think that kind of password is not good choice for online use when you have some coins in a address, as i use 4 different kind of passwords and make them in a combination like my favorite place, car,food and day with mix of 5 letters for example : 1paris2honda3burger4weekend5 ... i think that kind of combination more secure to use.

Adding special characters like: ! # @ $ & etc also makes a password stronger.
Also try and add it in the middle, e.g.: PaS#sW@o$r&d!

And of course the usual combo of upper-lower case and numbers

I didnt know that you can use bitcoin core to generate brain wallets. Im interested in that.

Im also worried that my computer is compromised, but I have made some bait wallets with some btc in them in a similar fashion and so far nothing. I have another brain wallet generated on bitaddress.com from a few months back which is uncompromised too.

Sorry for your loss.

It might be that the hackers have used the forum to get this kinda information.
But on the other hand if it was not related to the forum hack, it could happen easily if you used the same password elsewhere.
What browser did you use and does it have plugins installed or toolbars ?
If so are you sure they can not be used as keyloggers ?
In any case the btc is gone forever, and there is nothing anyone can do about it.
 

No, AFAIK Bitcoin Core can generate a new standard address (for the moment), not a brainwallet address.
If you want brainwallet address the I would suggest you actually download the github files and create addresses from an offline computer that is never to access the internet.

Thx mate,

I have used the password elsewhere, but I think it was secure up until the hack.

Im using mozilla firefox. Never had troubles with it before. On firefox Im using FVD speed Dial. Java and adobe are installed on my computer for things like multibit and youtube etc.... Im not computer savy so no im not sure anything cant be used as key loggers but I have developed trust in Linux systems. Is that wrong?

I know what you mean.
Personally I just use Bitcoin Core.
i have a cold wallet which I can send funds to and a wallet I use for everything else (small amounts)

It's not about Linux.
It could be a malicious website you have visited running a malicious script.
That script could do many things, one of them is to install a backdoor to your system.

You should always scan links you are uncertain of with virustotal.com (http://virustotal.com)
And even then, you are still not 100% safe.

That sounds bad, but I dont understand how it could get around root access in linux? it is not a simple mission to do anything like that surely??

having java installed will surely help the hacker, when you click on some random ad that hide a malicious scrypt

also i think you should use chrome, is far more secure

Not simple, but doable.
Haven't you ever wondered why so many newbie accounts in the forums posting suspicious links?
Because it is exactly that, suspicious links.

And now that I mention it, did you click on any links in the forum lately from newbies?

EDIT: That does not mean that Sr. or Hero members are credible.
If you head over to the digital goods section you will see quite a few of them for sale.

After this experience you should go to the highest level of security,
which is true cold storage.  You generate your keys on a machine
that has never been online and never will be, and use physical
coins/dice to generate entropy. 

Well, the Winklevoss brothers use Brain Wallet, or at last that's what i've seen on the latest interview. I would never store all of my wallets on a brain walled tho, just "spending money" like you do with Mycellium etc (im hoping no one stores their main stack Mycellium..)

you could buy a hardware wallet, that is safer than your password:

https://bitcointalk.org/index.php?topic=899253.0

I'm not an expert on Linux security - but IIRC linux is incredibly well locked down in terms of user privileges - far more so than Windows. As long as you don't run around as a superuser account all day, generally even if malware gets in you should be ok. Not to mention that it is rather rare for malware to target Linux given that it is used by such a small percentage of people. I do think it more likely that the hacker managed to access your coins via working out your password then bruteforcing brain wallets.

There's no way someone randomly typed out the password. You either find out or bruteforce it. Now, he sad he was using the same password that he uses here, but x3 for his brainwallet... that's pretty much it IMO. You should never use the same password twice, specially passwords you use in public forums.

I'm sorry to hear that chessnut, it sucks tbh.
It makes me a bit angry & a little deflated to hear stuff like this.
No matter what we do & how well secure we've made our coins people always seem to find a way to steal some.
You've been really unlucky, it could have been any of us.
I don't know what to say apart from I'm sorry for your monetary loss mate, people you can never be 100% secure but please do everything you can to look after your coins, you can't leave any stone unturned.

Maybe the entropy was just too low?

If say your password was 8 random characters and you repeat this 3 times, a hacker could just do all random possibilities containing up to 8 characters (still quite a bit) and past it 2 more times behind it.

You can still use a brain wallet with cold storage.

The point is, you 1) generate and store your keys in an unhackable way and 2) make sure they have enough entropy.
OP failed to do at least one of those two things.

I am very sorry to hear this happened to you, it is an unusually shitty circumstance.

I haven't read the whole thread, so this may have been mentioned, but I saw you said you weren't very computer savvy: You don't have to mess with Github at all, but if you want to use bitaddress.org, go to the options on say Chrome browser and click "Download Webpage". Download it as a complete webpage, then disconnect your computer from the Internet, open the file in your web browser, and then generate your desired amount of addresses while disconnected from the Internet. It is the best way I can recommend to anybody who is not really computer savvy; it is pretty simple for I think anyone to do.

maybe you should ask your brother where your BTC are, or your friend?  i guess you shared the password with them. or you downloaded some shady stuff...


but Linux and bruteforce seems to be pretty unlikely  ::)

If your passphrase has EVER.. EVEN ONCE been typed into the web.

YOU SHOULD CONSIDER YOUR BITCOINS OUT OF YOUR CONTROL...

The same password as your bitcoin talk... you knew it got hacked and didn't act..?!?!?!?!?

I wouldn't do that on a computer that has/had computer access - at any time.
Temporarily disconnecting from the internet will not work.

The address generation should be done on a PC that has never and will never connect to the internet.
In fact, once you have created your address, format and re-format a couple of more times.
(and even then, data can still be recovered)

A safe rule: If you're unsure whether or not you're savvy enough to use it correctly, you're not savvy enough to use it correctly. You should have absolutely no doubt in your mind when you commit wealth to your chosen form of cold storage.

This is a good practice. One should not be share a password all across the web or to use brainwallet passwords as forum/email passwords.

This.

If you "picked" the brain wallet passphrase, it is not good enough and will be cracked.  Use (at a bare minimum) 12 random words.  15 would be better.  

Not "words I picked at random", but really (truly) randomly selected.  Words selected with dice from an appropriate list will work fine.  

Be aware that the computer you use to generate the wallet must be secure, and the page you use must be offline.  

If you're not sure of any of these factors, your funds are as good as gone.  Use a trezor.

Your bitcointalk password is very weak, so it could have been cracked in a short amount of time, but I don't see how anyone could have known that your bitcointalk password was the basis for a brainwallet passphrase. That seems extremely unlikely.

It is much more likely that the hash of "example123", plus variations (such as "example123example123example123"), have been precomputed by the hacker. You can probably store hashes of the 1 million most common passwords with 1000 variations each in less than 100 GB, and looking up a hash might only take a few seconds.

I can't think of a reason hacker would crack your password and then try to use it as brain wallet while copying it two times (passpasspass).
How to get to idea that someone could use password as brainwallet ; o

That's the way rainbow tables work to crack a password table.  However, with hashing hardware running as fast as it does currently, it's far faster to compute the hashes as they go, rather than look up in a table.  They can try billions of hashes per second.

brain wallets are not secure unless you can remember 128bit password .. even then, i wouldn't trust them

They don't have to.  Since they can try billions of hashes per second, per machine, they have the luxury to try just about anything.  If you don't have 100+ bits of entropy in your pass phrase, you are hosed.

Thanks for all the helpful comments guys,

What I find quite ironic though is that Ive left a paper wallet in plain view as my facebook profile picture. It has 0.1btc in it and been there for months with no trouble! I guess that sort of thing might give one the wrong impression about wallet security.

Now the race is on to find my facebook profile  ;D

This is interesting, some nice looking units there. I would like one that I could store a brain wallet on (a proper one!). I have a phobia that my house will burn down (for example) and I will lose all my paper wallets and computer memory with my passwords to my backups etc... I think that is the beauty of a brain wallet, even if you lose everything you still have a chance to get your btc back, and if you make it special to you, maybe your family could  still get the bitcoin if you die.



I have since generated a stronger brain wallet on my computer and baited it with some btc..... no trouble at all. Ive been using linux for about 8 years now, my dad got me into it, and we havent had a single problem with viruses or any kind of compromise as far as I know. I really dont think my computer is compromised.


Yeah, learning the kind of power these guys have to crack passwords is nerve wrecking. I would have thought that it wouldnt be economical to even try when you get to password sizes like the one I was using, even when it is repeated. I dont understand the work it must take to go through billions of combinations, hash them all into private keys, and then rake all those billions of wallets all day long.

I wonder if bitcoin mining technology is making this possible where it wasn't before?

Why on earth would you do that?

Clearly because its easy for me to remember, and I was under the impression that the btc talk hacker would have difficulty cracking my password hash and that three combinations of a fairly difficult password was enough on top of that.

Full Disclosure: Im not proud of what I did!

IIRC, theymos stated because of the way the data was salted it would slow down any decryption giving you more time to change your passwords before they were fully compromised - but yeah, it wasn't going to guarantee your security. That being said, repeating your password over and over is something people would look for when bruteforcing.

It takes less time than you would think. The hackers just write a script of program that randomly generated passwords and then generates the keys and sweeps the funds. They run it and the program does all the work while they go and do other stuff.

It does not. Mining technology is designed to do one thing and one thing only: compute sha-256d hashes. They are not capable of doing anything else which means they cannot be used for password cracking unless the sha-256d hash were used.

Even if you think your password is difficult, it's still a really bad idea to reuse it.  The forum hacker is almost irrelevant because your password wasn't difficult AND you used the same one for something relatively unimportant (a forum account) and something important (your brain wallet).  It's not a human being who's trying to guess your password when your account is hacked, it's a machine which can make millions of attempts per second.

Convenient passwords are best left for trivial stuff.  If something's important enough that losing it would be disruptive to your life, then protect it properly.  Now go through all of your passwords for everything and think of the worst case scenario for one of them being obtained by someone else.  Ideally, someone getting hold of one of your passwords should lead them to a dead end, not give them the keys to the city.

I have found sending to asdfasdfasdfasdf gets coin stolen too. I suspect, like correct horse battery staple, people are clearing out the address automatically

Example123 would likely already be in a password dump from somewhere.

Brain wallet are not such easy to hack.
You should have changed your password

https://en.bitcoin.it/wiki/Brainwallet#Low_Entropy

@chessnut


So what was the password?  Since it is compromised now, please tell us, so other people can learn from this mistake as well.

Sorry for your loss.

Hey. Sorry for the loss. Also, no moral lectures from me. But I'd like to chime in, if you allow, because the line above is quite a bit of a misconception.

Basically, "3 times the effort" is nothing in computing. You are aiming for exponential increase in difficulty when setting good passwords. Here are a few more details...

Thinks of it as follows: imagine the attacker has a dictionary of common words, and a method to combine words from that dictionary in a reasonable* way. Now, "Yankee" is one word. "Doodle" is another word. Even "123" could be considered a word, since it's such a common string of numbers, together with "111", "789", and a few others.

Say that dictionary of words (and sort-of-words, like "123") has 10k entries in total. Probably not the exact right number, but let's assume it for a moment. Leaving capitalization of words aside (which we can in your example, because you just capitalized the first letters of a word, which only effectively doubles the size of our hypothetical dictionary), a single 3 word combination out of that 10k word dictionary represents one out of 10k^3 possible combinations.

I didn't look up the latest developments in the last 2 or 3 years, but a 2012 result I found reports an offline brute force attack (using rainbow tables) running at a speed of 350 billion passwords per second. Therefore:

A 3 word combo out of a 10k dictionary would take about 3 seconds to find.

Let that sink in for a  moment.

Now here's how to solve the problem, and still use, in principle, a similar method to yours, one that is easier for humans to remember than random ASCII characters:

Don't repeat the same combo. Doing so is useless, and doesn't add any substantial security.

In your example, "YankeeDoodle123" can be seen as one phrase (that the attack described above could find in 3 seconds). To get from "YankeeDoodle123" to "YankeeDoodle123YankeeDoodle123YankeeDoodle123", i.e. the 3 times repetition will take only minimal additional time (constant, or almost constant), assuming the attacker knows a) he just needs to, verbatim, repeat the phrase, and b) he can stop the repetitions after testing about 5 or so repetitions per phrase, since most humans don't enter passwords of 100 or more characters.

Here's a much safer example password, still using a dictionary based method:

yankee colour doodle resulting table parsley under chair (without the spaces)

Only slightly harder to remember in my view, but a lot better. Even assuming you took the words from a smaller dictionary of only 5k words, using 8 different entries from that dictionary means the attack mentioned above would take 10^12 years to brute force it. In other words, impossible. **

---

Take home message: For reasonably safe passwords, use the xkcd method (https://xkcd.com/936/) ***

(but don't even think of using the same words used in the comic)

---

* "reasonable" here means: by an algorithm that is trying to capture how we, human users, set non-random passwords.

** no guarantees on that. it assumes you picked the 8 words randomly from the dictionary, which humans are notoriously bad at. But in any case, much better than repeating  a phrase inside a password.

*** I know, xkcd didn't invent it, just described it nicely imo.

feeling sad for your losses..
yhats why i changed my password and everything as soon as possible..

Where are you pulling that number from? Source would be nice.
BTW, does anyone know what is the strongest entropy password that has been successfully cracked to date?

That would be a moving target and it would depend a lot on how your brute-force program searches the space (since no brute-force tool is really 100% brute-stupid and would start attacking commonly used characters first). 15 years ago using a regular PC I was using L0pthcrack to scan our network for weak passwords and found many with 40+ bits of entropy.

Hehe fun to read, I might have thought twice reading this beforehand. Thankfully I still have most of my bitcoin to worry about.

Thanks for your input Oda.krell

The more I think about it the more I realise how ridiculously insecure it was, but surely the decision to combine passwords in sets of three goes hand in hand with many different ways of combining passwords, an on top of that, doesnt hashing and sweping a brain wallet take some compuation? wouldnt that be an ongoing recomputation every day to sweep wallets? is that billion hashes per second inclusive of that work?


I would rather not tell, for all I know I might still be using it at some old account I have forgotten about, besides being the key to my hacked brain wallet.

lets say it was about as strong as Clock123Clock123Clock123.....

The computation for the rainbow table entry for your address could have been done months or or even years ago. The attacker could just have been comparing live transactions to see if he already has computed your private key in his rainbow table, and then use that to do the sweep.

[deleted partial garbage]

Yes, I did my back-of-the-napkin calculations based on the speed of an approach using rainbow tables, without knowing whether that attack would work on what they actually got from the btctalk hack.

That said, the point I wanted to make remains the same: passwords consisting of (systematically) repeating substrings have lower entropy than equal length password with no such (systematic) repetition.

Brainwallet is just so convenient: say goodbye to constant backups and having to carry a trezor/usb/whatever, say hi to HD wallets and privacy and accessible wallet everywhere.

Of course, security is an issue, Andreas has addressed this before. So I would use brainwallet only for small amounts of BTC that you want to have accessible everywhere, never for your main amount.

An 8 word Diceware password contains 96 bits of entropy. This should be enough to thwart brute forcing attempts for several more decades but personally, I'd go for something a bit higher just to be on the safe side. It wasn't too long ago that 5 word passwords were supposed to be "good enough" but advancements in processing power now mean that this is no longer true:


Link: http://arstechnica.com/information-technology/2014/03/diceware-passwords-now-need-six-random-words-to-thwart-hackers/

Both Electrum seeds and Casascius coin addresses have 128 bits of entropy (equivalent to a 10 word Diceware password) and they've been holding out pretty well so far. An fresh address generated by Bitcoin Core contains 160 bits of entropy (about 4 billion times stronger than 128 bits). To get the same level of security for a brainwallet, you will need a 13 word Diceware password.

If you're reasonably fluent in more than one language (i.e. can remember words in it), you can push that up a bit, e.g. ~116 bit for 8 words instead of ~103 with one language list alone. Language selection needs to be randomized as well though.

I don't think we need to rip on the OP anymore.  He has shared with us a good tale of why going to extreme lenghts to protect your wealth is a wise idea. 

1) Never use passwords that are "easy to remember" for you - no matter how complicate they seem.
2) Always use long, complicated random-generated passwords (or even better: dice-ware passphrases)
3) NEVER re-use passwords or passphrases or any combination of them.

Just follow strictly these 3 very simple guidelines and you will be safe.