The password problem has been solved for many years.
Use a password manager and don't ever reuse passwords. Certainly don't use the same password on more than one website. If the website supports two-factor authentication then use it.
I'll disagree slightly with kiva, a password manager will make life much easier to manage different passwords across multiple site in a more secure manner, I'm not convinced it will solve the problem. The reason why I say this is the pen testers obtained access to the machine, once you have access you could then compromise the password manager database.
Often people will use the same password as their PC or Mac, if so you may be able to easily reverse the password hash used here which would then possibly allow the attacker to obtain access to your passwords.
For questions that challenge things like "what is your mother's maiden name?", provide a random answer like ahfGwUvZmDllhaif, which is easily generated and stored within a password manager - there is no need to remember those random answers.
This is good advice to follow as it makes it that little bit harder for an attacker. Often you'll get asked for your date of birth, my tip is don't provide your actual DOB, pick another date.
A number of websites will ask you to register before you can see some content. If you only want access to something simple, say download a PDF, try using a fake name and email address and see if this will let you download the file you want. If it wants to verify your address before you can download, you may then need to use your real address or you could use a crappy gmail or hotmail address just for these types of activities.
The good news about this paticular attack was it was harder for the pen testers to be able to retrieve the information and credentials they needed to make life interesting for the author. The other interesting thing is they needed to try a number of different social engineering attacks to be able to get to this point, usually dropping a disk in an office will work in minutes.
While they needed to use social engineering attacks here it may not be necessary in all scenarios, remember they first were expecting to be able to use the authors home WiFi to compromise his computer.
I do information security for a living, we constantly hear the words, "I'm/we're not a target", "we have nothing of value". If you are a business and you have nothing of value, why do you exist? As an individual you have value to a criminal, the value you have is the money you may pay me if I make your life hard by encrypting your files.
Criminal activities like Ransomware (e.g. CryptoLocker
http://en.wikipedia.org/wiki/CryptoLocker) are becoming more prevalent for the all users, I'd suggest you do some reading on how you can protect yourself.
FWIW, a firewall and virus software will not protect you against your own stupidity, don't open files from people you don't know.
The reality is you will have a problem one day, be prepared is my advice.
HTH,
Jason
