For a long time, i’ve told my clients and friends that the best way to make a password is to write a short sentence or phrase. A recent study linked from Slashdot IT reinforces this. The executive summary: if you make your password 13 or more characters long, as long as it’s not a single dictionary word, it’s likely to be pretty safe from anyone who’s got less than US$10 million to spend on the problem, assuming current market prices for cloud computing CPU time.
Without going through all of my previous advice, the simple rule for passwords is: think of something you relate to your password, or just something that you think about a lot, and then write a complete phrase or sentence about it. Of course, none of this will save you from a wrench password attack.