Schneier on Security says:
- Assume that all PINs can be easily broken and plan accordingly.
- Never type a password you care about, such as for a bank account, into a non-SSL encrypted page. If your bank makes it possible to do that, complain to them. When they tell you that it is OK, don't believe them; they're wrong.
Guidelines for Selecting Good Passwords offers these tricks:
The object when choosing a password is to make it as difficult as possible for a cracker to make educated guesses about what you've chosen. This leaves him or her no alternative but a brute-force search, trying every possible combination of letters, numbers, and punctuation. A search of this sort, even conducted on a machine that could try one million passwords per second (most machines can try less than one hundred per second), would require, on the average, over 100 years to complete.
- Choose a line or two from a song or poem, and use the first letter of each word. For example, ``In Xanadu did Kubla Kahn a stately pleasure dome decree'' becomes ``IXdKKaspdd.''
- Alternate between one consonant and one or two vowels, up to eight characters. This provides nonsense words that are usually pronounceable, and thus easily remembered. Examples include "routboo," "quadpop," and so on.
- Choose two short words and concatenate them together with a punctuation character between them. For example: "dog;rain," "book+mug," "kid?goat."
- Use your telephone dial as a guide to translate letters into numbers. For example: "telephone'' can become "tele74one."
PC World offers suggestions on storing passwords securely and using them safely.
Storing passwords securely:
- Since you can't possibly remember dozens of unique, gibberish passwords, you need to record them and store them somewhere safe. The first thing to recognize is that there is no truly safe location to store passwords: The most convenient place won't be the most secure, and the most secure methods won't be terribly convenient.
- Writing passwords on a piece of paper that you file away somewhere or stick into a book will work okay as long as no one else is likely to open the book--and you don't forget which book it's in. Storing passwords in a file on your PC may be more convenient, but not if the hard disk dies. To prepare for that contingency, print out a paper copy and store it in a safe, a locked cabinet, or a safety deposit box, or in an innocuous book that nobody is likely to browse through.
- If you sell your computer or replace its hard disk, you'll need to delete the password file, and then use a file-wipe utility to permanently erase the drive so that the new owner can't restore your password file.
- Encrypt and password-protect the file you save your passwords in. You can password-protect Word 2002 and Excel 2002 files using a fairly strong 128-bit encryption key. Choose Tools, Options, Security in either program to enter the password, and click Advanced to select the encryption strength. Obviously, choose a strong password that you'll remember.
- If you don't use Word 2002 or Excel 2002, or if you aren't convinced that these programs are secure enough, download Counterpane Labs' free Password Safe utility. In addition to using Counterpane's bulletproof Blowfish encryption to encrypt the company's user name and password database, Password Safe includes a handy password generator lets you copy user names and passwords to the Windows Clipboard with a single click. When you close Password Safe, the program clears passwords from the Clipboard.
Using passwords safely:
- One major stumbling block in password security is the innate human inability to keep a secret. Once you have created a password, reveal it to no one. Your ISP, your bank, and no one else should ever need you to tell them your password, whether by phone, via email, or in person (your company's IT support person, however, is another story). Don't share your password with coworkers, and don't write it on a note that you leave in your desk drawer. Don't let others "shoulder-surf" you by observing you as you log in to a network or secure Web page. And for maximum peace of mind, keep your personal passwords off your office PC.
- If you suspect that one of your passwords has been compromised, simply use the Web site's password-management options to change it. Practically every online site or service that relies on passwords allows you to enter your account and select a new one instantly.