how long should a password be?

[Alan Olsen]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


> Everyone says it should be as long as possible, but there comes a point
> where it's just impossible to remember anything longer than 20
> characters.  What do you think?

Passwords should be as many characters as you can remember plus one.

Actually for long passphrases I use bizarre memorable sentences. You can add in extra punctuation if you are able to remember that.  My usual passphrases are 50-60 characters, but since they are phrased in a way I can remember them, I don't forget them.

Examples would be:

"Never buy Fix-O-Dent from a veterinarian."
"Never buy corn oil from a podiatrist."
"Never buy baby oil from a pediatrician."
"Never buy tartar sauce from a dentist."

Or you can construct something longer, if you want.  (Those are kind of short, but what comes to mind at the moment.)
-----BEGIN PGP SIGNATURE-----
Version: 9.5.3 (Build 5003)

wsBVAwUBSCDPpGqdmbpu7ejzAQqssgf+KvS/7O7VScJuNNvY7C6he1K26/hRrDEu
p1BnP+2wFQ7EHL6f/Bh137EuXCXK6Iok6psNHO5x1E5Y3P5YGpfgLQZ1vTd24cNS
fdohdyHXohdZn1eaoCgs8zKXFoUeoaLPvBlD59DWCSTrlWXMnVrCRKRuGz5Injgo
17jDDWTFOK+2O8JNOktoPKqfniYfCs5I1oagHVpOOv1YUHqTO/dWkXEwcbFfHj/B
RefDBMEOE+BUqpf1HmVUxw7hFskLv0SkylP+A5GVCgAAqh0biFj5LDqE5zzVzZSn
F6kLnRZlYeqcrsoxvlBCouDWP0e6R84+2CEkYamgaAWIxlI6JB5qJg==
=EEyT
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGPexch.rtf.pgp
Type: application/octet-stream
Size: 1522 bytes
Desc: PGPexch.rtf.pgp
URL: </pipermail/attachments/20080506/8fb4d903/attachment.obj>