You don't need special characters if you can use a passphrase. I use a passphrase for all my encryption passwords (usually 5-6 words long), which results in a password which is 20-30 characters long. This is implicitly better than a 10 character phrase of mixed letters/numbers/symbols.
The problem of course is that so many password entry forms (I'm looking at you, most-of-the-internet) have limits on the lengths of passwords. This needs to change. Hell, some even limit your ability to use special characters (no spaces? wtf.)
The most egregious offense I've seen is an international banking site I use for my stock -- it limits your password to 8 characters, numeric only. I nearly shit myself. Of course, I immediately went in for their high security passcard that has a random 2d array of numbers in it, which is in addition to the password. Trying to perform any actions with the account requires you enter sequences from the array.
I can't remember if it was here or on reddit, but someone posted an interesting article that said that the big flaw with these mixed character passwords is that people have a hard time remembering them. When you start demanding that they use a different oddball password for every site, most people just write them down or ignore the advice.
The article showed an alternative to all the crazy rules: Create pass phrases instead. "I break 4 hacker news!" is much easier to remember than "f6jjaASDJc%$1~", and it fits all the insane rules we have invented for good passwords (mixed case, numbers, symbols, length).
Nothing wrong with writing them down, but put them on paper and keep them in your wallet or a safe. We put our SSN cards, driver licenses and passports and credit cards in our wallets. Why not our passwords?
Isn't "Never carry your social security card in your wallet" standard advice? I was taught that since I was a child, before identity theft was even really a mainstream thing.
As to credit cards, if your wallet is lost or stolen, you can quickly cancel the cards. It is probably more difficult to quickly change all your passwords.
Keeping them in a safe, however, is probably a fine idea. Potentially a good one if you want people to have access to certain accounts if something happens to you.
This is probably how my World of Warcraft account got 'hacked' ('cracked' would be a better term).
I was using almost the same user/password combination for both WoW itself and WoW-related forums and guild websites. Stupid, stupid, stupid me. One sunday I logged in only to find all my level-80 WoW characters naked and skint.
Luckily Blizzard was able to restore my stuff, and since then I use an Authenticator.
Mine got 'hacked' a couple months back. Too bad I had stopped playing 2 years earlier and their attempt to charge character transfers were on an expired card. But now I get no end of junk emails about how I need to secure my non-existent WoW account.
Keeping separate passwords for everything is simply not practical - nobody can remember that much. So they write them down. And because they need to look up passwords constantly, they keep the list easily accessible, i.e. easily compromised.
IMO a viable alternative is to have a few separate passwords based on how sensitive they are. Personally, I use three:
- One for regular websites where I wouldn't mind losing the account (game forums, throwaway registrations, etc.)
- One for stuff that would be seriously annoying to lose or where money is spent (my personal site, various shops, etc.)
- One for everything where money is kept or which could be used to compromise other sites (banking, paypal, ebay, google mail)
After a couple tries, you'll have something that breaks into pronounceable syllables, insert some punctuation (there's a lot of punctuation on your keyboard besides those under the number keys) to break the syllables and you're good to go. There are many tools that generate pronounceable nonsense passwords, but I prefer this way. Another approach is to generate 5 to 8 word phrases ad-lib style (these take longer to type in, but some people find them easier to remember).
If you are really serious about passwords, then generate random passwords offline on non-networked computers. There's an app called launch codes I use to do that. It uses random data from MS CryptoAPI to seed a Mersenne twister RNG. Letting people create their own password is like letting a child run with a knife in his hand.
I do wonder, every time I see someone recommend 133+ing the vowels ("m0d3ltf0rd"), how many dictionary-attack programs and script try those as a matter-of-course. People who do that don't seem to do it "randomly" - just as in the example used, they tend to change every vowel to a number in a single word (or less often, phrase).
What no social engineering? No Mitnick approach? Please, many times the easiest way to get someone's password is to simply call them and ask for it.
Also, there should be a section about targeting geeks. If the person you're trying to hack is of the geek variety, 1337speak is where I'd start once the obvious ones were done.
The problem of course is that so many password entry forms (I'm looking at you, most-of-the-internet) have limits on the lengths of passwords. This needs to change. Hell, some even limit your ability to use special characters (no spaces? wtf.)
The most egregious offense I've seen is an international banking site I use for my stock -- it limits your password to 8 characters, numeric only. I nearly shit myself. Of course, I immediately went in for their high security passcard that has a random 2d array of numbers in it, which is in addition to the password. Trying to perform any actions with the account requires you enter sequences from the array.