There is much advice about how to choose passwords, and much of the advice is bad.
It doesn't consider the threat models, it doesn't consider human fallibility.
You do not want to remember many passwords.
You should remember as few passwords as possible, while still using a different password for every site.
So the best solution is to use one of the password management tools and let it generate very strong passwords for you.
Then you just remember your password to get into that tool, and perhaps one or
two others where you have no choice, such as for buying things on a tablet
You take backups of the password tool's database, and you consider printing
out the passwords to put them in a safe, protected by trained attack tigers.
If you really must treat passwords for remote web-sites as something which
mere humans have to remember, and you accept that you're fighting a losing
battle but are prepared to fight valiantly nonetheless, then here is some
- Use the “mnemonic phrase” approach to generating a password; make it at
least 10 words long.
- Example password (do not use!):
- Mnemonic: “cats do not bounce and do not ask me how I know this”
- Note that the password ends up being unpredictable, but you can still
manage to remember the mnemonic with only a little practice
- I was introduced to this approach, at the very latest, when I started
work at an ISP in 1999. It's the only approach which has stood the test
of time and which experts still recommend.
- Do not use anything based on words being present in the password, or small
changes to words, or facts about you, or anything which might be figured
out by the Veronica Mars folks in your life.
- Do not make a password which consists of a few full words; XKCD was wrong
- Keep written records of the mnemonic somewhere safe; if you know how to use
encryption software, then that's the safest (and you don't need to write
down the single passphrase, if you can remember it), but if you're more
worried about attackers breaking down your door than about forgetting a
password or mnemonic, then:
- you have a strange life;
- use a password management tool instead.
- Don't use a password less than 10 characters. Aim to be a little longer.
- It's getting ridiculously easy to brute force shorter strings and for
historical reasons, 8 characters was a long-term limit on password
length, so attack tools focus on that as a limit
- Do please go longer than 10 characters!
- You might end up having to avoid some characters for badly broken
websites which can't handle them; if
" results in weird
error messages instead of “password not allowed, here's the allowed
characters” then stop using the site -- it's dangerously broken.