The good news: More and more browsers and operating systems can generate long, random passwords. They would be tough to remember but you don't have to remember them. The browser or OS stores them.
The bad news: You're trusting the security of that browser or OS. OpenSSL was also supposed to be impeccably secure. Then just this week it wasn't.
Aside from the possibly justified paranoia is a convenience issue. Most of us use multiple devices and occasionally log into important accounts from family or friends' devices. This makes it tough to depend on "Cloud" synchronization of stored passwords.
The best, most realistic of the commonly advised password tactics is to convert a memorable phrase or sentence to a password. Use the first letter of each word as your password. “May the force be with you” would become “Mtfbwy”.
There are several drawbacks. This well-publicized idea is already popular. That presumably means that acronyms of all the common pop-culture
catch phrases are entering the lists of popular passwords that hackers and cracking software try first. Normally acronyms are all letters and thus
less secure than an any-character string of the same length.
Different phrases can begin with the same letters, producing the same acronym.
Some letters are more likely to begin words than others, and hacking software
could potentially exploit this.
Now here's my suggestion, and I use it myself. Turn
the conventional advice on its head. Instead of thinking of a phrase and
converting it to a password (that won’t be all that random), get a truly random
password and convert it to an easy-to-remember phrase.
I used to use simple, stupid passwords. After one
of my accounts was hacked, the site assigned me a temporary password. It was a
random string of characters. I was going to change it until I realized that
I didn’t need to do so. I could remember a random password.
The
mind is good at seeing patterns in random data. This is how we remember phone
numbers and Social Security numbers. It also works for random-character
passwords like RPM8t4ka. I just now got
that one from random.org, a site that generates all the randomness anyone could want for free. Though the random.org password is authentically random, the human eye and mind
instantly spot patterns. In this case the first three letters happen to be all
capital, and the last three are lower-case. The number 8 is twice 4.
You
can easily translate a random password to a nonsense phrase. RPM8t4ka might
become “revolutions per minute, 8 track for Kathy.” I don’t know what that
means but I do know that it’s fairly easy to remember. The sole point of the
phrase is as a mnemonic for the password RPM8t4ka.
A
password, a passphrase, a mnemonic—what’s the big deal? The difference is that
a random-character password is the gold standard of security. It’s better than
any human-chosen password could be. It will still be good, even if everyone in
the solar system were to adopt this scheme.
Want a different password for every site? One trick is append part of the site's name to the standard password. For Facebook, take the first two letters (Fa) and add them to the boilerplate password, getting RPM8t4kaFa. Just don't do that exactly and make up your own rule.
(This tip is adapted from my upcoming book, Rock Breaks Scissors. It's due out from Little, Brown this June 3rd.)