I’ve heard Jesper talk about this many times and have used passphrases for a long time myself. The term “password” is in itself misleading as is suggests that a single word will suffice. Many of our companys force us to use absurdly complex passwords which are difficult to remember and hence there’s a tendency to write them down and use the same ones everywhere. Believe it or not the Microsoft Windows login dialog will actually take more than eight characters in the password field!
By reading any of the links listed below you’ll learn that entering multiple words in the “password” field generally leads to better (stronger) passwords. For the mathematicians amongst you it’s worth reading the comments to both Jesper and Robert’s posts – I agree that long highly complex passwords (with greater entrophy) would be ideal IF users could remember them but in the real world find passphrases to be the best way.
I tend to think of a funny phrase and use that whilst omitting the spaces between words. A good example would be “Ihatebeingforcedtochangemypassword” though you may have to add some numeric characters to meet the requirements of password complexity. Don’t feel the need to go mad though, anything better than you’re using today would be progress – so just using three words would be a good start.
The Microsoft website includes a straight forward definition and suggestion for how to use stronger passwords – click here to read about it.
Larry Osterman posted an interesting entry about passphrases whereby he linked to Jesper Johansson’s article (which explains both the theory and practical application) and Robert Hensing’s entry which gives good advice too.
There are some interesting suggestions out there including the idea of using dice to pick the sequence of words – click here to read about Diceware.