Mark Burnnet has an interesting post on The Worst Password Tips. His main thesis is that much—or even most—of the advice you hear about choosing passwords is no longer good advice. It used to be that passwords like p@r013
gave reasonable safety. Now substitutions like that are well known and all cracker software is configured to try them.
Similarly, passwords that take the first letter from each word of a phrase, such as my baloney has a first name
→ mbhafn
, seem like a good idea because they won’t appear in any dictionary. The problem is that they are too short and in this age of GPU based crackers are subject to brute force attacks. The same goes for short random passwords such as n%C+k3q. Again it seems safe because it won’t be in any dictionary but it’s still short enough to be brute forced.
Burnnet recommends long passwords and, in fact, says that length is more important than randomness. I typically use a random 20 character password that gets generated automatically by my password management software. When sites allow it, the random password will have upper and lower case letters, numbers, and symbols. That increases the size of the “alphabet” that the cracker must deal with and makes his work much harder. Sadly, many sites have stupid, security-destroying restrictions on password length and composition but that’s another story. I’ll say only that such sites can be presumed to have other shoddy security practices and should be avoided if possible.
If you’re still making your passwords up by hand, you really should check out Burnnet’s post. It will give you some advice on what to avoid. Better yet, stop making them up and get some software such as KeePass or 1password to manage your passwords.