For all i care passwords length is irrelevant to some degree. I would prefer it if the website defends against brute force password guessing attacks rather then forcing me to use a complex password – the “try 3 times the wrong password and your IP address will get banned for a week” kind of approach. This is kind of very easy to implement and more secure then leaving it to users to come up with secure&complex passwords.

For online banking websites where high security is a must i would like them to go one step further and use a security token key in addition to a password – passwords can be captured by keylogger software and are not safe for something like this, so a physical key-token generator (like RSA SecurID or eToken, etc) that generates a new key every 30 seconds is a must!

I’ll let your math buddy go with his 6-character passwords. I’ll stick with the method “whut brung me”. *heh* Takes some time to type my passwords in, unless I use LastPass (and I do, with another of my “overkill” passwords to enable it), but they’re easily remembered.

Here’s one variation: choose the second or third verse of a song or poem that you’ve memorized. Take the first letter of each word in the verse. Change a few of the letters to symbols according to a method that makes sense to you. Practice typing the password while reciting the verse mentally. Got it? Now, stick a fork in it.

64-character passwords designed this way are pretty darned secure and easy-peasy to remember. Overkill? Well, sure. Way overkill. For now.

There’s a DIY-hardware solution to remembering your “random” 6-char passwords, something I saw on LifeHacker not long ago: create a cryptkey-card and keep it in your wallet.

The idea is that the card, which can be printed on a 3×5 notecard or whatever will fit in your wallet, should have indexed rows & columns. For every website that you need a password for, come up with a character pair (for instance, lockergnome could be LG). Find the intersection of row L, column G, and starting with that character, use six characters from the card.

If this still doesn’t feel sufficiently secure, have some sort of mental mod that you apply to the characters as you use them (for instance, apply rot1 to the first letter or number, rot2 to the second, etc.)

The only complication with this approach is that some websites insist on periodic password changes.

Neither of my banks (both leading banks in the UK) support anything except numbers and letters in their passwords. On the one hand, I think this is terrible because I want a more secure password, but on the other hand, I assume there must be some restriction because of the encryption they use which must be better or they wouldn’t use it.

Thanks everyone for your comments and feedback. It is appreciated.

I was going to suggest substitutions as well.