I’m using the following xkcd comic to help the teachers at my school with their password selection.
There is also a very useful script, created by Steve Gibson, available to test how long it would take a brute force attack to figure out your password with a computer. While I don’t recommend entering any actual passwords you intend to use into an password strength checker (there aren’t that many websites out there, so an hacker could easily steal the passwords you enter into their "password" checker and try them all over the place, thanks to @drdouggreen for the reminder), this can be an excellent way to experiment with different types of passwords.
I also recommend reading this post I wrote about how to change your password for every service you use, without having to memorize a new password for each of them.
As suggested above, we’ve spent many years training people to use complicated passwords which are actually not all that secure, when instead, you can use a longer, much easier to remember, password that is much more secure.
Patrick says:
For online passwords, I really like https://www.pwdhash.com
The idea is that you pick a password that you’ll re-use everywhere (or nearly everywhere) online. The plugin then mixes it with the domain name of the website you want to log into and creates a new (hash) password that is different for different websites. What is sent to the website is this hash password, not the password you remember. What’s more, the hash password looks totally random, is about two characters longer than the password you remember, and contains lowercase, uppercase, and numbers even if the password you remember doesn’t.
When using a public computer that doesn’t have the plugin installed, you can use the website to generate your password and copy and paste it. The website claims not to send your password online since the computing is done on the local machine. Just to be on the safe side, I also downloaded the webpage on my local computer so I can keep generating my passwords in case they ever go offline and the plugin breaks.
In practice, I use a different (longer) password for my banking than for my other services. But with this tool, I commit very few different passwords to memory.
August 13, 2011 — 2:55 pm
David Wees says:
The only issue I can see is when you want to use websites from your iPhone. It seems like it would be pretty annoying to try and access a website from your mobile device and have to enter your password when you are around a computer.
As for security, this does eliminate the possibility of the dictionary attack being used against you, but I think if you use 3 or 4 or even 5 random words, the level of security you get may not be worth the added annoyance of hashing the passwords. The only real advantage I see here is that you can hash with the website url (as the service you linked to does) and then not have to remember different passwords for each site, while still having the advantage of a different password.
August 13, 2011 — 3:32 pm
Patrick says:
As you clarified, the biggest advantage of this is not so much generating *strong* passwords that are easy to remember, but having *different* passwords that are easy to remember (although they are also strong).
As for mobile devices, I agree with you that it would be very annoying to copy the domain name, go to pwdhash.com to generate the password, copy the password, then come back to the website and paste the password. That’s way too many steps (especially on a mobile device!) I don’t know about iPhone, but Android has an app that pretty much solves that problem. http://bit.ly/piTx6U (although there is still a bit of copy/paste)
August 13, 2011 — 4:12 pm