Remembering "Good" Passwords
To help users avoid easy-to-guess passwords that can be remembered without writing them down, a mnemonic trick can be helpful.
Obviously, users should be discouraged from using their own names or those of family members as passwords. Words such as "password" must also be avoided. In fact, users should not use any existing word in any language as a password. Even the concatenation of two words, such as the "robotcat" example in Stohl's The Cuckoo's Egg, is not considered particularly safe these days.
A really good password consists of upper- and lowercase letters, numerals, "special" characters, and even control characters (caveat: some operating systems do not allow the use of control characters in passwords). It should also avoid any patterns discernable to anyone other than the rightful owner.
Ask the user for a memorable song or poem. Suppose the song is "The Star-SpangledBanner." Select the first letters in each of the first eight words and get "oscysbts." At this point, the user should develop a personal style of substitution. The letter "t" could be replaced with the plus sign "+", for instance, or the letter "y" with capital "V". The password becomes oscVsb+s. This password is not only hard to crack, it is hard to guess and makes no sense to anyone other than the user.
Users will probably still need to write new passwords on paper, but after two or three tries they may at least leave the paper in their wallets.