I saw an interesting idea recently. It was attributed to Bruce Schneier, though I can’t substantiate that.

In general, people find it easiest to remember words, so most people’s password is essentially a word. This is bad, of course, since it’s easy for a computer to run through every word in the English language in a very short time. So it’s common to take a word and “mangle” it in some ways: password might become p@ssw0rd, which, while better than “password,” is not exactly hard to guess.

The idea I saw proposed, though, was to start with a sentence, and do something like take the first letter of each word. And if you’re good, you can work symbols into it. It’s not the most interesting example, but take a sentence like “He went to Stop & Shop and bought 4 loaves of bread!” and then take the first letter of each word, take some slight liberties, and you get “Hw2S&S&b4lob!” It’s a thirteen-character password employing mixed-case characters, several numbers, and several symbols. It’s nearly impossible to remember, but you don’t have to remember it directly. You remember “He went to Stop & Shop and bought 4 loaves of bread!” and you can figure it out. (And once you start typing it with regularity, it’ll become easy.)

Of course, you want to have the end product in mind, so choosing a long sentence that lends itself to special characters is fun. (“I met the #1 basketball star today at 4 o’clock!!” could be “Imt#1bb*2day@4o’c!!” which is superb, albeit a dumb sentence.)

Of course, the “rule” is just a starting point. It’s an excellent idea to deviate as you see fit.