The clause "FORGOT YOUR PASSWORD ?" below the LOGIN box is a double edge sword, because people close to you or by searching public archives can allow people access your account.

Caution!!! if you are asked in a form ' what is your favourite food , please your answer could be x+2x

check out the case here involving wrong use of forgot your password www.post-gazette.com/stories/ae/celebrit...cyber-crimes-628159/

The other side of the coin here is that if security people weren't so overzealous with their password requirements then we wouldn't need the 'Forgot my Password' box and our systems would therefore actually be more secure

It not about being over zealous, the password crackers find it easier to break passwords that don't meet requirement. follow a pattern when formulating your passwords- like an old music first characters in each word with some capitalisation or symbols, and you can always remember your password

It is not about being over zealous but the password crackers find it easier to break passwords that dont meet requirement. Just make sure you follow a pattern when formulating your passwords and you will always remember them.

The thing here is that resetting the password through "FORGOT YOUR PASSWORD" feature should better be forwarded to the persons email through a link, to verify that he is the holder, NOT immediately on the webpage. Except for the case where he is reseting his own email, then it better be forwarded to another back up email, which in the case of the celebrities above didn't seam to happen.

Regarding password complexity. Long passwords (even if they are simple) are usually more effective than short passwords (even if they are complex). Lets take for example a six character password comprised of letters, numbers and signs, say Yu*e+5

When you see this password, one can say that it's fairly complex. It's not easy to guess it easily. But for a bruteforce attack to work on it, the cracker must search through all combinations of the characters a-z A-Z 0-9 ~!@#$%^&*()-={}|:"<>?[]\;',./

Thats 93 characters, say 100 (those are easily reachable in the keyboard, there are more offcourse). So the total number of combinations is 100 to power 6. Thats 1000000000000, one thousand billion trials max to find the password.

Now lets have another simple BUT longer password, an 8 character password but containing only letters (no numbers or signs), say OmiPoxma. Now that one is pronounceable and it might seam simpler than the Yu*e+5. But for a bruteforcer to break it, it has to try all possible combinations on a-z A-z. Total 54 characters, But thats done for 8 letters now. So total number of combinations is 54 to power 8, thats 72301961339136. Now, Compare these two numbers:

1000000000000 (one thousand billion trials)
72301961339136 (72 thousand billion trials)

By just adding 2 letters to the length of the password we have increased the difficulty 72 times more, ALTHOUGH we used LESS characters from the keyboard (nearly half).

Simply speaking, "lengthen your passwords"