In case you missed it, a researcher has built a system that can crack every possible 8-character password in less than six hours. 8-character passwords are obsolete.
If he’s got it, so do the bad guys.
In fact, that’s why security researchers build this kind of stuff. By exposing that security practices are obsolete and need to change, hopefully they can get people to change old habits before the bad guys manage to exploit the obsolescence too badly.
So, use longer passwords. Don’t use dictionary words. And consider getting a password manager like Password Safe and switching to completely random, long passwords. Because chances are your clever formula has been exposed in one of the big password thefts that’s happened over the last year or two. The problem is that any password that’s easy for a human to remember is also easy for a computer to generate. When you can try 350 billion passwords per second, “easy” becomes much more relative.
This summer I heard more than one security professional say antivirus is broken. But passwords are even more broken, and there are more ways to compensate for ineffective antivirus than there are for ineffective passwords.