Don’t worry, this won’t be a long post.
I have long been of the belief that we are going about password security all wrong, and XKCD have successfully visualized it. A few months ago I saw an excellent post somewhere (of course, now I can’t find it) about the basic methods used to crack passwords and how to derive a secure but memorable password that will defeat most of them for long enough between change cycles.
Basically it boils down to brute force, and dictionary attacks. There are also hybrids, but they are essentially combinations of the two. Social engineering, while valid, doesn’t really apply to this argument.
With a dictionary attack, a hacker or script kiddie will have a long list of words that may be commonly used for passwords that they will run through attempting to gain access. So if you use a word like “banana” or “elephant” as your password, it probably wouldn’t take long to be compromised.
With a brute force attack, a hacker or script kiddie will use a system that tries to guess your password by cycling through every possibility and hopes that he eventually lands the right one.
More common are hybrid systems which take words or phrases and use them as the core of a brute force attack, making the attack more intelligent, if you will.
The problem is that deriving a good secure password (as we’ve been taught is secure, at least) can result in a password that is difficult to remember. Personal anecdote time. A couple of companies I have worked for in the past had password systems in place that required a password at least 8 characters long, and that had upper and lowercase characters as well as at least one number. It also had to be changed every month, I believe, and it wasn’t possible to use any password that had been used in the last 12 months.
Most people will agree this is a good idea. Passwords should be regularly changed for various reasons, but having those kinds of requirements starts to become silly and LEADS to insecurity. I reached the point where I had to use an insecure password system (though I wouldn’t tell anyone what it actually was) just so that remembering it wouldn’t be an issue.
The other issue arises when someone needs 3 or 4 passwords to go about their daily business (I have 4, that I can think of that I use regularly) but there is no interconnection between the two. Even worse, there may be different requirements for technical or security reasons. “No numbers” or “cannot start with a number” are occasionally issues. This ultimately leads to people writing their passwords down, which is just not a good idea. Whether it’s in a file on your computer, a note in your notebook, or even worse a post-it taped to your desk, keyboard or even monitor, chances are good someone will find it and utilize it.
Simple rule: keep it simple, make it long, use some form of obscurity. Ideally find a password that will suit all the systems you use so you can keep it in sync, and find a way to juggle it around in a way you’ll remember every time that window pops up saying “your password will expire in 12 days, would you like to change it now? Yes, No”