[tedunangst]

I use 16 letter or longer all lowercase passwords. They're easy to type and easy to remember. For example, my HN password might be ishouldbemoreproductive. It's hard to crack, but doesn't require finger gymnastics to enter.

[skimbrel]

Actually, English phrases contain very little entropy -- as little as 0.6 bits per character. This is because the rules for what constitutes a valid word or phrase dramatically reduce the number of possible characters at a given position. To look at it another way: take an arbitrary string of letters. What's the probability that it forms a valid English word? Very low. Flipping this the other way, if we know that a password is constructed of English words, we can immediately throw out a vast majority of the search space simply because it contains substrings that never appear in real English text.

Here's a better way to construct a strong, yet memorable password:

Take a full sentence, including punctuation and capitalization. Use the first letter of each word as your password. For example, "I should go on Hacker News less frequently, because I'll be more productive." becomes "IsgoHNlf,bIbmp.". We now have three character classes in what appears to be a random sequence.

(Yes, this still has patterns due to being constructed from English. But we've effectively taken a longer English phrase, with higher total entropy, and compressed it into a string that doesn't exhibit the low per-character entropy of the full words.)

[tedunangst]

Obviously, there are rules for what constitutes a valid phrase, but they are rather complex for a password cracker to check.

My computer says there are 234979 words. Pick 5 and there are 716382975036689591261090899 combos. That is actually very very close to a 15 letter alphanumeric. 62 ^ 15 = 768909704948766668552634368.

I don't doubt that IsgoHNlf,bIbmp. is a secure password. But it's a bitch to type. Especially on a phone.

[ianterrell]

This is a good practice. http://www.baekdal.com/tips/password-security-usability