I really doubt it's a password issue.
Most server side exploits aren't due to weak passwords since even with a weak password, trying to brute force it takes too long for scripted attacks.
This is probably something really basic like not checking the input data properly leading to a buffer overrun, which often leads to remote code execution.
While using strong password is definately a good idea, it's not a panacea. Especially since these days almost every form of attack is either exploiting a known bug (which means the patch is usually available but just not applied for whatever reasons) or through social engineering (click here for naked pictures of <fill in the name of hottie de jour>).
For consumer desktops/laptops, the single best thing you can do is keep up with the available patches and just exercise common sense when clicking on things on the web and certainly exercise a healthy dose of skepticism when faced with email attachments of any sort.
True, but it's a fine first step, since you can have the machine secured into a virtual alcatraz, but by using a lame password like "adminrocks", it can be completely compromised. It's surprising how easy it is to get into some systems due to stuff like this.
For example....here at work we have a machine that is considered mission critical and secure. I compromised it by having access to a guest level account.
How? Permissions weren't set properly, so I could view /etc/passwd.
The next problem... passwords were not shadowed
final problem, weak crypto was used (the password was hashed against itself to make the encypted password)
Using this, I cracked the password for the admin account in under half an hour....less time than the two days it took to get hold of the admin who forgot to give us the password when he left for vacation.
Their problem was it was secured against most overflows and other "automated" exploits, but they completely forgot about oldschool fudging about. Thankfully they missed this, as we needed access to the machine for revenue reasons. It was fixed before he even got back from vacation....I fixed the problems myself on the way out.
So any accounts being locked down is a huge first step.
The other side of this is making sure freemail (yahoo/hotmail/gmail/etc) accounts and ebay/"pay pal" type accounts remain under your control...a "pay pal" acct in a scammer's hands can be potentially quite nerve-racking (think wiped out bank account, unless you use a special account just for it...then think NSF fees), as can having access to personal info that often find their way into emails.
For email attatchments, if from a "friend", ask them if they sent you anything...if they did, then consider looking at it after it goes through a virus scanning....otherwise delete. It's very easy to fake an email from someone else.
The other valuable thing is having both a software and hardware (between the cable/dsl modem and router) firewall protecting your home network, and configure it properly.
There's always more, as it's a cat and mouse game betweeen those that want to annoy/harm, and those that want to stop those people in their tracks.
