Choosing a good password is always a problem. The essential tension is that a good password should be easy to remember, yet hard to guess. Most people err on one side or the other. Most people choose passwords that are too easy to guess, such as the name of their spouse or pet. Any word in the dictionary makes for a quick security breach. We have other vendors who send us passwords like 8#{aUv7. Yes, it's hard to guess, but also impossible to remember, guaranteeing that it'll have to be written down, copied, pasted, stored, and generally left laying about. Here's some hints of forming usable passwords:
- Combine two or more words, like 'noneshallpass'
- Some people convert their passwords into 'leet speak' by substituting zeros for ohs (o->0) and ones for ells (l->1). These are fairly easy to guess as well. The next step up would be to substitute threes for ees (e->3)
- Even better, if you speak a few words of a foreign language, use them. Such as: 'verb0ten'
NIST standards call for users to change their passwords every 90 days. This is commonly accepted wisdom in the security community, but I remain dubious. I think one well-chosen, well-guarded password is better than a string of mediocre passwords that change so often the user has to write them down to remember which one they're using at the moment.
In closing, have fun with the idea.