This is originally a post I did back in 2008, which I have edited to tweak some of my original recommendations. This has become especially more important as sites like Facebook, Twitter, and online emails are becoming more the focus of online attacks.
Most companies and universities have password policies in place that enforce complexity requirements. But do you have a good policy you use for your personal accounts? You should create good strong passwords for any accounts you access – your email, Facebook, Twitter, eBay, online merchants, your personal finance file on your system, etc.
When creating your password, it should:
- Be at least 10 characters long, but be easy to remember (more on this in a second).
- Contain at least one capital letter, a digit, and a special character along with the lower case letters. Some web sites may not allow special characters (shame on them!!), so be creative with more digits (preferably) or capital letters.
- Not be built from a dictionary word or any name – including character substitution!! For example, password is obviously a BAD password, but P@ssw0rd is also a bad password. Another example here would be something like Und3rd0g! or T0m&J3rry (guess I’m in cartoon mode here). Hacking utilities would have these figured out in very little time.
- Not contain sequences, patterns, or repeated characters, for example 123, 111, qwerty, etc.
So I mentioned making your password at least 10 characters. I used to like to make them 8 characters exactly. Perhaps this is because of my past experience using UNIX systems, where the first 8 characters only were significant (standard UNIX at the time would ignore anything after 8 characters), but I also thought 8 characters would be easier for most to remember, although now I think 10 would be fairly easy, with time, to commit to memory. Once you get used to your new password, it will become second nature. What you don’t want is to have to write the password down and stick it to your monitor; it should be something you can commit to memory. If you must write it down initially, keep it in your wallet or someplace safe and not viewable, but DON’T write your username or what site or service it is for. Even then, only keep it long enough until you memorize, then shred it.
So given the rules, how to actually create a good password? Think of a phrase nine or ten words long, and then use the beginning of each word to make into your password, mixing up the capitals, symbols, and digits. If you use nine words, you can use punctuation as the last character. If you can easily remember a longer phrase and the password you create from it, certainly go for it. Some examples (don’t use these for yourself, though):
Phrase: I really found the Science Attic very useful today!
Password: Irft5@VuT!
Phrase: My new golden retriever Fido is the best dog ever
Password: MngrF1tBde
Phrase: Firefox and Chrome are great internet browsers everyone can use
Password: F&C@giB3cu
So you get the idea. And you can get really creative with this, so have a little fun with it. 🙂
There are password creators/managers, although I haven’t really evaluated any of them and I personally think the best password manager is the one between your ears. The idea is the same though – keeping your accounts that much more secure.
I usually don’t like to post rants, but once again (and this is the reason for the “sigh” – the type of sigh that perhaps a parent gives a child for repeating the same thing to continually get in trouble), Facebook has forced upon their users “enhancements” that open up privacy concerns. This time though, 
The Science Attic 