Choosing a good password

Security is a compromise between inconvenience and risk.  
So too is choosing a password - but there are some easy wins.

Simple passwords are so insecure that the risk to anything important is unacceptable (see below for a blacklist of features that render password insecure) .  The ideal "strong" password is a seemingly random combination of letters, numbers and symbols chosen from across the complete spectrum of available characters.  

Such a word may seem to be unmemorisable, and so will be written down, thus compromising the very security that it was intended to provide.  But this need not be the case.

The mnemonic solution is widely accepted as a good method to provide a memorable 'strong' password.

Construct your password between 8 and 12 characters long by using the letters of a phrase. 
"One apple a day keeps the Doctor away" (1aadktDa) would be an example, but is too common a phrase to be secure.  

Instead, pick something meaningful to you, like:

    My pet dog's name is Rex     Mpd'sniR
My sister Peg is 24 years old MsPi24yo
I went to Lego-Land in 1998 IwtL-Li98
  I grew up at 33 Windsor Street   Igu@33WSt.
Finally, do a double check that you have not inadvertently chosen something that is simple to hack (see blacklist below).  

You will note that very little effort has been required to construct a password that meets the 'best practice' rule that  it must contain characters from at least 3 of the following 4 classes:

  1. Upper case letters A, B, C, Z
  2. Lower case letters a, b, c, z
  3. Numerals 0, 1, 2, 9
  4. Non-alphanumeric characters {}[],.<>;:'"?/|\~!@#$%^&*()_-+=
    (note that some systems may not accept non-alpha characters)

Writing passwords down

For maximum security you should not write a password down.  But if you feel you really do need to keep a record of your password, hide it in a place that's easy for you to find, but in a form or context that makes it all but impossible to identify as a password. For example: let's say you selected your childhood address as your phrase you could place an entry in your address book using your late maternal grandmother's name and the childhood address. This will provide a clue easily recognized by you alone.

The blacklist.

The following, when use in passwords, whether or not they have other words added to them, are considered to be "simple to hack", either by using brute force or from a little bit of personal knowledge.
  • any part of your account name
  • any word or name in ANY language 
    (especially your name or address, or of family, associates or pets)
  • invented words from literature like "Quiddich", from science fiction, or obscenities
  • abbreviations from the texting language
  • postcodes or telephone numbers (especially your own)
  • consecutive letters or numbers like "abcdefg" or "234567" (whether backwards or forwards)
  • adjacent keys on the keyboard like "qwerty" or "mnbvc"
  • any of the above where numbers are switched for similar letters (eg pe0p1e)
  • repeated characters