Password best practices
Use passwords that are not composed of common words or names. Dictionary attacks use dictionaries with millions of words and are very quick.
Use long passwords. I tend to use passphrases. I pick a phrase, sentence or rhyme and find some way to use a fair number of non alpha-numeric characters so that my words are not dictionary words.
Do not use the same password for multiple login services. Take some time to come up with a formula for picking passphrases. This allows you to use many different passwords that, if forgotten, you may be able to recreate with some trial and error.
If you have to, by all means write a good, long, secure password down and hide it somewhere. That at least is better than using a weak password that is easier to remember.
If the above suggestions prove unmanageable, use a password manager with a long secure password and then use random character passwords for everything else. Carry the password manager around with you on an encrypted USB flash drive (backed up of course).
I have found several problems with passphrases:
- Many sites have upper limit to password length - like 20 chars - it's silly, but what can you do.
- Other sites don't allow spaces in passwords.
- Typing long texts blindly is error-prone - especially when you're not good touch-typist.
- Typing 50-char passphrase takes quite a bit longer than good 15-char password.
My solution for this problem has been to use passphrases as a mnemonic to the actual password. For example I could pick a few lines of great poem from William Henry Davies (76 chars):
No time to see, when woods we pass,
Where squirrels hide their nuts in grass.
And I would pick the first letters of each word, creating the following pretty good 16-char password:
Nttswwwp,Wshtnig
Using poetry is especially good, because it's easier to remember and when you are asked to change the password, you can just pick next few lines of a poem.
When dictating a password regime to others, don't only require that they use unique, longer than a threshold, contain mixed case, special characters etc.. but also educate the user about password managers or schemes to construct/remember those passwords... if you don't, the users will write the passwords down or find other, insecure ways to "remember" them.