Password best practices

• Use passwords that are not composed of common words or names. Dictionary attacks use dictionaries with millions of words and are very quick.

• Use long passwords. I tend to use passphrases. I pick a phrase, sentence or rhyme and find some way to use a fair number of non alpha-numeric characters so that my words are not dictionary words.

• Do not use the same password for multiple login services. Take some time to come up with a formula for picking passphrases. This allows you to use many different passwords that, if forgotten, you may be able to recreate with some trial and error.

• If you have to, by all means write a good, long, secure password down and hide it somewhere. That at least is better than using a weak password that is easier to remember.

• If the above suggestions prove unmanageable, use a password manager with a long secure password and then use random character passwords for everything else. Carry the password manager around with you on an encrypted USB flash drive (backed up of course).

I have found several problems with passphrases:

• Many sites have upper limit to password length - like 20 chars - it's silly, but what can you do.
• Other sites don't allow spaces in passwords.
• Typing long texts blindly is error-prone - especially when you're not good touch-typist.
• Typing 50-char passphrase takes quite a bit longer than good 15-char password.

My solution for this problem has been to use passphrases as a mnemonic to the actual password. For example I could pick a few lines of great poem from William Henry Davies (76 chars):

No time to see, when woods we pass,
Where squirrels hide their nuts in grass.

And I would pick the first letters of each word, creating the following pretty good 16-char password:

Nttswwwp,Wshtnig

Using poetry is especially good, because it's easier to remember and when you are asked to change the password, you can just pick next few lines of a poem.

When dictating a password regime to others, don't only require that they use unique, longer than a threshold, contain mixed case, special characters etc.. but also educate the user about password managers or schemes to construct/remember those passwords... if you don't, the users will write the passwords down or find other, insecure ways to "remember" them.

If you have trouble remembering passwords, use some well know text. Pick a sentence, use n^th letter from each word as password, keep the punctuation. (e.g. password generated from 1^st letters of first sentence of this answer could be "Iyhtrp,uswkt."). You can make it stronger by change some to upper case, and adding some special chars.

I believe passwords should be generated, rather than thought up by the user. This avoids all those silly problems with easy to guess passwords.

I like to use pwgen, which generates password lists like

Bai4phei Gohh7Too cee3Iegh eegh7Aiy kaing6Mu ohBi0woo oH7bieRo Opai1Vov
sahpee6Y joo3iKe4 iegai4Ae chi1Akee se2vaDoo Xivae4ew eN4aquoh ahMaeye1
Ci3mie2e Oosh3aiy pueX1OoF uXee7chi theo4doT ied6Haeg Pey3beer viZeish2 
Itoogoa3 RaeD6woh IeJ9guLo Afuozii9 equahGh7 ui9uaJae qui4Geis Eikib2ko 
Ua7viequ iedieY9Y Deihae1u uu6aR7xa ThooG6mu HeiZ7jai choo7ohM jael0Lai 
Beelae6s wu0uTieK eiX8equu uPeeS2ub WaiceeP1 tha2Ohz1 xeiroh9E Eak6leiy 

but really any pw generation program will do. One advantage of pwgen is that it tries to make the passwords (somewhat) memorably, by including some vowels.

Anything different from (source dailywtf.com):

Don't use a password, that's where you're going wrong in the first place. Use either a random collection of characters (8 minimum) or a passphrase. You can come up with a formula for generating a different passphrase for each site for example ILikeStackOverflowOnions or ILikeServerFaultOnions; this keeps you safe against outsiders however could still cause problems if the actual site is hacked and the passwords aren't salted, or if the admin was corrupt in the first place.

Change your password regularly. Where I work, it's a 30 day cycle. It's a PITA, but it mitigates the value of hacked passwords to a limited time window. That, plus a complex AD password policy dictates it needs to be at least 8 characters, contain upper, lower, numeric, and symbols.

To supplement, we use a self-service password manager service. It provides a custom Windows GINA that provides functionality to let the user reset their password if they forget it, or unlock it if they goofed it too many times. The password manager app requires the user enroll in the service, provide a bunch of personal info only they would know that is later used as questions when the user needs to reset password/unlock their account.

Hak5 just did an episode demonstrating a tool from Remote Exploit that takes a number of strings and generates a dictionary of all combinations, upper, lower, leet spelling, etc. So you give it input like the target's name, kid's names, birthdates, or other information you know about the target. The dictionary it generates can be used as input to brute force a weak password.

Moral: Avoid using personal information in your password

I started using Password Safe, which was originally designed by Bruce Schneier, for storing any web-passwords. I have a very strong passphrase on the password safe, and all other passwords are auto-generated and never re-used accross websites.

The software also has features like expiring passwords and the like.

I consider this (given the strong safe password) to be the best trade-off and most secure approach to website passwords.