High_Times made a very good post bringing up the very big problem
of how easily crackers can download and crack your entire 
password list. 
http://www.gofuckyourself.com/showthread.php?t=459989
That thread is about to hit 3 pages, with few or no replies explaining
how to solve the problem.  I figured I'd start a new thread covering
the solution for those who don't want to read through pages
of replies to his post.
Many people who replied to his post mentioned that Strongbox
will do a very good job of detecting and handling compromised
passwords.  Strongbox will do a good job of detecting and 
notifying you of a password that the user gives out, preventing
your passwords from getting cracked by dictionary or brute force
attacks, and letting you know if your entire password list ever
does get cracked.
However, if you let a cracker download and crack 
your entire password list something like password sentry, 
Strongbox, etc. will simply do it's job and block all of these 
compromised passwords, which would leave legit users without
access.  What you need to do is first secure your password list 
so that a cracker can't simply download your whole membership 
list and post it on a password site or wherever, THEN have 
Strongbox watching for any individual passwords that get 
compromised somehow.
Having your whole member list cracked is kind of like having 
your hard drive totally fail in that people don't think about it 
too much because it doesn't happen every day, but when it 
does happen it's a BIG problem.  Also like a hard drive failure, 
it's fairly likely that eventually it will happen to you. 
If you are using an old fashioned .htpasswd file that's only
encrypted with an algorithm called DES which is next to
worthless. If those DES encrypted passwords are based on English
words, which they normally are if you let your users choose
their own passwords, a cracker can decrypt many of those
passwords within seconds. You have to secure your passwords
better than that.   High_Times made some good suggestions 
on how to avoid having your list cracked, but I wanted to 
go a little further.
First, how to know if this is a problem for you:
1) If you have a file called .htpasswd you have problem.
2) If you let users choose their own passwords you have a problem.
3) If your database or password file has the passwords in 
     it in clear text you have a problem.
4) If any of 1-3 applies to you and you run PHP scripts, you 
     probably have a bigger problem.
PHP scripts make the problem worse because most of them, 
including most of the most popular ones, include a security hole
that will let the attacker download your password list or database.
So especially if you use PHP you'll want to be sure your password
list is not easily cracked.
I know some of you PHP script code monkeys will want to argue this point.
Be alerted that if you do I'll refute your argument by exploting a 
hole in this PHP board to change your sig to "I'm a PHP newbie
who argues with experts when I don't know what I'm talking about." ;)
High_Times mentioned that DES encryption, used in most .htpasswd
files, is no longer effective. I've run a cracker program against
some customers' password lists and indeed I was able to 
crack many passwords in seconds.   Part of the reason it's so
weak is that it only uses the first 8 characters of the password.
With user chosen passwords the first 8 characters are often 
found in a crackers dictionary because they choose passwords
based on English words.
You CAN use the much stronger MD5 algorithm for your .htpasswd file by having your processor's
add password script slightly modified and using the following
directive in your .htaccess:
AuthDigestAlgorithm MD5
However, Apache's uses a slightly non-standard MD5 implementation, 
so that may well create a problem for you in the future.
Better is to put your usernames and passwords in a MySQL database.
Any processor's script can be fairly easily modified to use a 
MySQL database instead of a password file.  You can then 
use Strongbox to read those passwords or install mod_auth_mysql.
Do NOT put clear text, unencrypted passwords inb a MySQL database.
Some of the well known user management scripts do exactly that.
Some of these scripts are made by friends of mine, so I won't
name names just yet, but if you distribute such a script fix
that now.  By next year I will be naming names.  If you use a 
user management script ask them if they store the passwords 
in clear text and ask them to adjust it so that it instead stores
a MD5_hex hash of the password.
Now that you've fixed up your encryption, you also need to have 
reasonably strong passwords.  Contrary to popular belief, using 
punctuation marks in passwords doesn't improve security much
at all.  (Count the bits.)  Allowing certain punctuation marks 
does, however, make you vulnerable to code injection attacks.
The best ways to make passwords strong is to make sure that 
they are not plain english words or based on english words and
to make them reasonably long. That means you can't let users 
choose their own passwords, or else you need a very good 
password checking script to make sure they don't pick weak
ones.  Does that mean you have to set CBill to create those ugly 
random passwords like J8*Ul7^ag% that noone can remember? 
No! Not anymore.  CCBill will let you upload a large list of 
user/pass pairs that it will assign to users.  The ideal password
is reasonably long (8-14 characters), not based on a dictionary 
word, and yet easy enough to remember.  Note the phrase 
"based on a dictionary word".  fuckoff1 will get cracked quickly.
We've written a script that produces nearly ideal passwords.
They are somewhat pronouncable and there can be remembered, 
yet they are long enough and not based on english words.
Some usernames and passwords generated by our script
in short mode:
	Code:
	uarainaca   niladonkn
sexweepri   spitskido
lymphricb  frucsphin
trufsecev    pantygenc
long mode:
spunloomjago chopscorpssl
luxereclrirr       mesrandcourt
qualmionochi  ovavimzotep
erynphisrhuc  seisskulldik
 "spitskido", "pantygenc", or "frucsphin" won't be found in a
hacker's dictionary, yet can be pronounced and therefore 
remembered.
If you'd like us to generate a list of 10,000 or so user/pass combos
for you to upload to CCBill or whatever processor you are using
just drop us an email.  We'll be writing a script for using our 
passwords with Paycom some time in the next couple days.
I'm sure someone will post a reply bringing up something I forgot, 
but that's about it I think.
To review:
Old fashioned .htpasswd is bad, very bad.
Use MD5 or SHA1 rather than DES.
Use MySQL to store the passwords via either Strongbox or mod_auth_mysql.
Generate good passwords rather than letting users choose bad ones.
Make sure your PHP and CGI scripts are up to date on security patches.
Now your password lsit is secure and you're ready to use 
Strongbox or another system to catch any passwords that may 
be given out and to prevent brute force/dictionary attacks.