hacked - looking for doc/suggestions on hardening/securing systems from the start

[Tim]

Allegedly, on or about 19 December 2013, Greg Woods sent:
> it is very risky to use the same password at multiple locations, even
> if it is an easy-to-remember but hard-to-guess password. 

It definitely is, and I've seen the results, even on the more benign
side of things.

e.g. A fool uses some webservice that asks you to log in with your
hotmail username and password, so they do, despite the face that this
webservice is not hotmail.  It logs into hotmail, pretending to be them,
and does things, such as:  Spamming every address they find in their
account, as if the hacked person was writing them a message.  If
somewhere along the way, they find the fool has other internet accounts
(e.g. yahoo), it'll try logging into them using the same password.  So,
the fool with one password, lets someone into all their email accounts,
their paypal account, their bank...

I can't remember if it were two or three people I know who've been done
like a dinner, that way.  If I know a few, there's got to be thousands
more.

It's only slightly mitigated by webservices having different password
contraints.  e.g. As a simplistic example of that, some will stupidly
say you can only have a six letter password, others will insist it must
be more than eight letters.  So a fool can't use the same password for
everything, sometimes...

-- 
[tim at localhost ~]$ uname -rsvp
Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64

All mail to my mailbox is automatically deleted, there is no point
trying to privately email me, I will only read messages posted to the
public lists.

George Orwell's '1984' was supposed to be a warning against tyranny, not
a set of instructions for supposedly democratic governments.