Lots of good stuff here. Pass-phrases really work well. They are virtually uncrackable.
Capitalization and letter/number substitution are cool as well when you mix in case sensitivity.
Personally, use 16 character passwords. This gets you by the readily available NTLM password hash tables since 14 is the limit there. 16 character passwords generally are not crackable either !
Now onto my secrets ...
They all have at least ...
- 2 upper case characters
- 2 lower case characters
- 2 numbers
- 2 special characters
- sometimes even leading and embedded spaces !
I look at the keyboard and characters as a 4x16 dot matrix pattern augmented with shift and space as appropriate. I cannot tell you what my passwords are. I never write them down either !
Imagine that, not knowing your own password nor having to remember it !
Oh for those who want to test how strong 16 characters really is ... download the demo of L0ftCrack and ALL of the hash tables for a windows password crack - the last security project I did all 3 of my 16 character passwords could not be cracked even after quad core 3.0 Gh xeon ran nothing but L0ftCrack for 2 weeks (this was in an AD environment with 2000+ users - 80% of the passwords were cracked in less than a day, the remainder in less than a week, lest my 3).
As for SQL Server, try NGS SQL Crack - again we killed it after 2 weeks of not getting mine. But, we did crack every other SQL password on 24 SQL Servers in less than a week - all 3000+ of them.
RegardsRudy KomacsarSenior Database Administrator"Ave Caesar! - Morituri te salutamus."