I know I’ve covered using passphrases in the past, but it warrants touching on again. The two most important aspects of a “password” are length and randomness. The amount of entropy (basically, uncertainty) is a function of length and randomness. For a brief discussion on entropy in cryptanalysis, click on entropy and scroll down about half way.
We can easily address length by using passphrases, which is really the same thing as a password, but consists of a phrase instead of just one word. In addition, by using passphrases, we address another common problem with passwords – the difficulty in remembering various symbols injected into the password. From the entropy perspective, by using a passphrase, we will give up some level of uncertainty by reducing the collection of symbols that are used, but we will gain significantly more by substantially increasing the length. Take, for example, a password such as “P@ssW0rd!”. In this example, remembering which character is capitalized, which character is a special symbol, and where it is can be difficult. And, the result is a password that is not only relatively weak and easy to crack, but probably written down somewhere. Let’s try a passphrase: “The color of my hair is blue.” There are actually a few special characters here; the spaces and the period. The length is over three times greater going to 29 characters total (remember, the spaces and the period are characters) from the 9 characters used by our complex looking weak password example above. Instead of an easy to crack and hard to remember password, we now have a hard to crack and easy to remember passphrase.