I'm finally shifting my password collection out of my previous ultra-secure unencrypted text file and into KeePass. KeePass is a mature open-source password storer which seems quite easy to use, and makes no doghouse-worthy security claims.
Plus, it's nifty.
Here, KeePass is showing me that a line of identical characters may be a long password, but it's not a good password.
You get this little dynamically-updating bits-of-entropy graph whenever you enter a password - for the KeePass "vault" itself, or for one of the sites/devices/whatever whose passwords you're keeping safe in KeePass.
This is a really neat way of illustrating the idea of password complexity. It doesn't take into account dictionary attacks, though, which in the modern world are not slowed down much by brilliant tricks l1k3 the u5e of 1337-sp34k. If your password is a dictionary word, then even if you obfuscate it with letter-to-number swaps, it's probably still crackable in minutes, not weeks.
A string of three dictionary words with a few digits on the end, though, is reasonably secure...
...so what KeePass is telling me here (click the image to see the larger-filed original) is fair enough.
To avoid the dictionary-word trap, you can either do this sort of thing - a lot of dictionary words in a "passphrase", or a few words and some numbers - or you can use one of those ludicrous more-or-less genuinely random "T\:;9+jrF:y4+@cf#6'w7z" or "Suy7JOvd" kinds of passwords.
Or you can make up nonsense words. That's what I often do.
If you're trying to crack a password and a dictionary lookup won't help, the length of time it'll take to guess is directly related to the amount of information entropy the password contains. Information entropy is, in brief, an objective measurement of the amount of information something contains.
"Suy7JOvd" is higly memorable, by the standards of true random passwords, but it has only 48 bits of entropy. It is, therefore, feasibly crackable by brute force on a single modern PC in a usefully short time.
"T\:;9+jrF:y4+@cf#6'w7z", on the other hand, has 132 bits, which pushes it well into the "cubic kilometres of sci-fi nanotech" category. For all practical intents and purposes, a password like this one can't be brute-forced. The only way you can hope to crack it (as opposed to just steal it from someone who knows it) is by exploiting some weakness in the cryptographic system being used (to hash the password, or to protect the data to which the password allows access).
Which is all very well, but even "Suy7JOvd" is pretty bloody hard to remember. "T\:;9+jrF:y4+@cf#6"w7z" is ridiculous. Everybody knows that people who're given such passwords just write them down, usually on Post-It notes which they stick to their monitor. Or - if they're especially devious, and very proud of their intelligence - they stick them to the underside of a desk drawer.
Steel door two feet thick, lock utterly unpickable and unforceable... key hidden under the doormat. (Or, if you prefer, trap-door in the floor.)
So - nonsense words.
"Slobodongoo" is a 48 bit password, appears in no dictionary, and is quite easy to remember.
"Grobbynolofroidicality" is 85 bits, which is quite enough for pretty much any purpose. And it's also reasonably memorable, though I recommend you not wander around the office muttering something like that. It's bad security practice to speak your password aloud, and it may also cause your coworkers to take action.
If you're determined to go to 128-bit password strength, which is ample for every single purpose on the planet Earth (unless it's important to you that God not be able to crack your password), then "Seglifromobulgradistalibilitegumentsic" manages it. Inserting capital letters and/or spaces can get the length down - "GorgoBrindyFerguBolishSkuziPlen" and "Mali Colu Snobo Limby Tij WoB" are each 128 bits, too. Punctuation can help a lot - "Eeble frong? Zoiby. Nyoj!" is 128 bits as well.
None of those are, I grant you, particularly easy to remember. But they're easier than "j3JBRGjxYCllgW2s2xccLZB9ww".
And you don't need 128 bits, anyway. 70 or so will do just fine.
"Nerbolica grib" and "Ib? Galoomb!" are both 71.
(If you don't have the kind of brain that comes up with nonsense words easily, or if you're paranoid about some subconscious bias that'll make the nonsense words you make up guessable, there are online nonsense-word - and nonsense-passage - generators that'll do it for you. There's also JabberWordy and NameStation, which make up nonsense-word domain names and sees if they're registered - but you can of course use the words for something else. True Security-Mindset paranoids can make a sentence, each word of which is from a different generator!)
It's not very hard to remember a few of these kinds of passwords. Look at all the people who can remember "Supercallifragilisticexpialidocious", after all. That's a 112-bit word right there - though it's probably in lots of password cracking dictionary files, along with several spelling variations, and is therefore not actually very useful. But you get the idea.
Passphrases can be just as good. The only real problem with them is that they're always significantly longer than an equally secure nonsense-word password, since dictionary attacks mean that a "70-bit" passphrase is not actually as secure as a 70-bit nonsense word, unless your nonsense word turns out to actually be a dictionary word in some language you don't know.
Long passwords also, of course, take longer to type, especially since password boxes that sensibly display asterisks while you're typing make it impossible to tell if you've made a typo until you hit return, get an error, and use some of your profanity allowance.
So go ahead and use passphrases, if you like.
Personally, I'm going to stick with the Flobadob-speak.