Passwords
I agree with an above post that length trumps entropy. After having it explained to me on a Security Now! podcast, it makes sense and can pretty much make you immune to brute force. You still want to use the entire character set. Use a 6-8 character password that is easy to remember (no words used in rainbow table attacks), but make sure you use the entire character set. Then pad that with 6-8 more characters with an easy to remember padding. As for change frequency, it was talked about changing the password too frequently (if ever) is useless too. When passwords are harvested, they are used almost immediately. So weather you changed it just 5 days ago, or 6 months ago doesn't matter. If your policy is 30 days or even 5 days, it will be too late. Just keep a strong password and pay attention to the news to see if there has been a breach for something for which you have an account for and change it right away. And yes, don't use the same password for everything.
