As regular, in late April my To Do List reminded me of changing my password for the year to come. With every year I learn more lessons on this topic so here are some of them to share with you.
10. A password should fulfill two very contrary conditions: It has to be safe but easy to keep in mind. (As always insightful and interesting: Chaos Radio by Chaos Computer Club. This episode is on passwords, but only in German)
9. There is a common strategy to get a reasonable compromise. In short: Do not use a word from a dictionary (house). Use characters from all subsets of characters, i.e. digits, lower case and upper case letters and special characters. (For details see here).
8. You should not use a word from a dictionary. You should also not use a word from a dictionary with obvious substitutions from leet speech or whatever (h0u?e). A small improvement is it to take the first letters of a sentence or a part of a sentence and make some substitutions. If the sentence is often quoted ("to be or not to be"), the improvement may be too small as well.
7. If you take a phrase from a song remember not to sing or hum it every time when you start entering your password... (I hope no one noticed...)
6. Add two or more characters at the beginning, the end or whereever you can remember for each new purpose you use the password for (e.g. add oo at the end of your standard password for a google log in).
5. I recommend you to use a tool as KeePass to store your passwords and user names. You can also use cloud based solutions but I am old fashioned with this.
4. Change your password regulary (e.g. every year) - and remember yourself to do so!
3. Keep track of your old standard passwords (in KeePass) as you will probably find encrypted files or whatever years after you have changed your standard password (as I did yesterday).
2. Don't be fooled by the sole factor of search space, i.e. the number of characters an offender had to consider - the most important factor is and will be password length!
1. And, as password length is so important, there is a (still not so common but even better) way of getting really secure passwords: Combine at least four random dictionary words, as suggested by this Comic by XKCD