I’ve seen a lot of bad password advice lately. Guessing passwords is just too easy for a computer to do, especially as they get more and more powerful.
Formulas are bad, but unavoidable, so here’s what I recommend if you’re not going to use a password manager creating completely random passwords: Unverifiable (or difficult to verify) facts. Things like what house you lived in in 2001 and what you paid for it. Better yet, your favorite baseball card and what you paid for it. Or maybe the address and phone number of your favorite long-gone pizza or BBQ joint. Think along those lines.
T206Wagner$0.50 was a reasonably good password before I published it here (you paid 50 cents for one at a garage sale! Right?) only because it contains an unverifiable fact. I guarantee T206Wagner$1M (the value of the most valuable baseball card in existence) is in all the password lists these days.
This isn’t especially great advice, but it’s something that there’s half a chance people will be willing to follow, and it pretty much forces passwords to have a nice mix of character types and to be at least 12-16 characters long. I don’t think it forces enough non-alphanumeric characters, or a wide enough variety of them, but left to choice most people won’t put any of them in. It would become lousy advice if very many people chose to follow it, but I know few will, and most people will continue to use the weakest passwords a site allows, so it’s adequate for a while.
The most important thing is to make it personal. What I paid for favorite baseball cards is easy for me to remember. If you never collected baseball cards, think of something along those lines that’s easy for you to remember, with a spin that’s hard for someone else, computer or otherwise, to guess.