99.999% of the alleged password "techniques" that are taught are utterly flawed. They include ...passwords
1. Giving 0 direction on how to come up with a password
2. Making you change your password so frequently you end of forgetting it and having to reset it (which is an non-repudiation nightmare for other people anyway)
3. Telling you to never re-use a password, which is virtually impossible today as there are so many
Let's address those specifically, one-by-one ...
1. Use acronyms to phrases you rarely say out loud
The most effective passwords are acronyms. They are extremely difficult to brute force. Use cap letters for the words of emphasis and small letters for normal words.
They should be based on things you say to yourself, not so much out loud. Don't be afraid to use things that are dirty, because it's more likely you'd never say them out loud.
E.g., iL2FhbaT ("i LOVE to FUCK her big ass TITS")
Aim for at least seven (7) to eight (8) alphanumeric characters in your acronyms as they are legacy minimum blocks in Windows and POSIX (UNIX/Linux) systems, respectively.
2. Frequent password changes
The stupidest thing they make you do is make frequent password changes. It is self-defeating as most people will forget passwords. I can only think of a select few cases where such is required. In most cases, the system security and other procedures outside your control are more suspect.
But for those that must change your password regularly, here's a small tip. Reorder your phrase, possibly improving a word if needbe (of the same letter).
E.g.,
- hbaTiL2F ("her big ass TITS i LOVE to FUCK")
- hTiL2Faba ("her TITS i LOVE to FUCK are big ass")
- iLFbaToh ("i LOVE FUCKING big ass TITS on her")
Typically you need at least 1-3 reorders against the original to get past the required 3-5 rotation requirement. Come up with one that works for you.
3. Reuse passwords, but tier them into security levels
It's impossible to not reuse passwords because you just have to know so many. In general, you should never use more than 10, and try to stick with 7 or less, out of sheer memorization (especially if you have to reorder some).
Tier them into security levels.
E.g., from lowest to highest ...
7. General Internet Info Sites
6. Internet Community Sites
5. Unencrypted Email access
4. Work Computer Login
3. Internet Reseller/Shopping Sites
2. Encrypted Email access
1. Financial Institution Login
Possibly ...
0. (unique, such as for a classified system)
The lowest (7) should be for general info sites that you will use a login for. This should also be your "throw away password" meaning you will not be harmed if someone finds it out.
The next two should be for your typical Internet Community Sites (6) and if your ISP only uses POP/IMAP/HTTP access, instead of POPS/IMAPS/HTTPS (SSL/TLS) access for your e-mail (5). Use two different ones here, one for each type. Change your Community and/or unencrypted e-mail passwords when you think either can no longer be trusted because of access.
Your work password (4) should always be unique. Leave it to others if they don't know WTF they are doing, it's not your bitch. At most, never use more than two (2) -- one for internal, one for external -- access. Requiring you to know more than two (2) should not be expected. If they don't like that, tell them to invest in SmartCards. It's what my company's software does for grunts in Iraq and many defense installations (no joke, it just works better and easier).
SIDE NOTE: PC-based biometrics are largely a joke and can be easily circumvented, unlike SmartCards, long story. SmartCards actually have logic in them that protects the "unique key" that does all the stuff, whereas your "biometric profile" is captured and can be replayed. Even Kerberos (3-part authentication ticketing), as implemented in anything Windows and to most web site modular authentication systems, are compromised by inherent design (long story), unless SmartCard-based. SmartCards cannot be compromised unless lost (and then the certificate/key should be revoked to disable it and another assigned -- although a passphrase used with a SmartCard makes it even more effective for times when it's lost prior to cert/key revocation).
The next should be your Internet Shopping password (3) that you use with trusted Internet Shopping sites. In general, you should never store your credit card with a company, period. If you do, then consider using an unique password with that reseller.
If you have an account that always uses POPS, IMAPS and/or HTTPS, then use a password (2) dedicated for that. Always ensure it is always encrypted access.
Lastly and sparringly, use a password for financial institution access. Ideally each should have their own. But if you only access a few, you could use one for all.
Beyond that, if you do any specific company confidential, SEC financial, DoD classified, etc... access, they should have their own, unique passwords. If you're so entrusted, do so without question, and make them unique. Your non-repudiation is at stake if you do not.
