What makes a good password?

Black Keyboard

How do you create a good password?  It's a common question, and there are a number of different approaches to this problem.  Understand that using strong passwords is critical, whether you are creating a password for your home computer, your online banking site, or any other type of web site or forum.

So what constitutes a strong password?  The standard definition of a strong password is “choose a password at least 8 characters in length, containing letters, numbers, and special characters.”  In case you're wondering, special characters are usually the ones above the number keys on your keyboard, plus characters such as spaces, commas, periods, and the various other symbols on your keyboard. 

This definition is perfectly fine, but gives you little guidance on how to structure a password.  It can often lead to difficult-to-remember passwords, such as I$hg7p3V*!.  It can also lead to passwords that seem secure, but in fact are very easy for password crackers to break, such as P@ssword1.

There are two approaches to password creation that I consider to be good options. The first one is to think of a phrase, such as “My dog Spot likes to eat dog food.” You can take the first letter of each word and turn that into a memorable password such as “Md$ltedf05.”  As long as you remember the phrase, you will remember the password, and anyone else looking at it will find it incomprehensible.

Another approach that I feel is even better, if a bit typing-intensive, is to forget about passwords entirely and consider passphrases.  This approach creates even stronger passwords, but you will probably end up typing 15 or 20 characters in a password.  Take the example above.  Instead of taking the first letter from each word, just use the whole phrase as your password.  So your password would be “My dog Spot likes to eat dog food.”  This password contains all the elements of a strong password except for numbers, but it also is considerably longer than your standard password.  I would challenge any password cracking program to break that password.  The only limitation to this method is that certain applications and web sites have a maximum password length, so you may have to choose shorter phrases, or go back to the previous method for these sites.

Does anyone else have any password best practices that they want to share?  I'm open to any other methods that can create strong passwords that anyone can use.  Weak passwords are a serious risk and should be addressed in any way that you feel comfortable.