- Use a unique password for each service. Never, ever reuse a password. Why? Even if you keep all your passwords secure, a password can still be compromised because a hacker breaks into the service that you use -- or because an employee of that company misbehaves. You can't prevent that from happening at any one company, but you can limit the impact on yourself. Be assured that if a thief gets one valid password of yours, the first thing he or she will do is to enter that password into every service that you might possibly use.
- Because you will accrue many passwords as a consequence of my first recommendation, use a system like SplashID to store your passwords. SplashID is secure in the sense that if someone steals your smartphone or laptop, your password for SplashID itself is needed to access your other passwords. And for heaven's sake, don't keep a simple text file, Word document, or spreadsheet with your passwords. Anyone who can access that file gains access to your entire online life.
- Never link accounts. By that I mean: don't tie two accounts together, such as Twitter and Facebook, and don't use your Facebook account to sign into another service such as Skype. I know that companies encourage linking of accounts, and I know it's convenient; but it opens the possibility that if one account is compromised, the others that you've linked it to will be compromised too. Again, your objective should be to contain the damage in case of compromise. If you do link an account temporarily for convenience, be sure to unlink it or revoke cross-access when you're done.
- Make your passwords hard to guess. I recommend the combination of two words (each of at least four letters) plus a number. Such a combination is very unlikely to be discovered by a brute-force attack.
- Change your passwords at the smallest hint that something is amiss. Password changes don't cost you anything, but not changing passwords could cost you! As soon as you see a news item that even some of the passwords of a service you use have been compromised, don't wait -- change your password for that service immediately.
- If you use a computer that isn't yours, don't sign in permanently to any account. In other words, don't click a "remember me" button on such a computer. Log out when you're done with that service, exit the browser completely, and if possible reboot the machine.
- Avoid disclosing passwords to friends and family who might not be as careful as you. If you do disclose, change those passwords afterwards.
- Use secure web browsing (https://) instead of http:// whenever possible.
- In case you drop dead, your spouse or partner or children need to know your passwords. Periodically make a list of the important ones and put it in your safety deposit box -- but don't leave the list lying around your house where a thief could get it. By the way, Wells Fargo has reverted to old-fashioned safety deposit boxes that someone must sign in to access. Wachovia and most other local banks had adopted a self-access policy in which anyone with the keys to a safety deposit box could get unauthrized access to that box. If you have a safety deposit box like that, make sure that the keys don't identify the bank. Even so, a thief who gets your keys might visit every bank in your neighborhood to see where your keys work. Kudos to Wells Fargo.
My short list of best practices is not infallible; read this. But if you don't follow best practices, you might as well be walking down a dark street in a bad neighborhood while waving $100 bills in the air.