Creating memorable and secure passwords

I am a security layman; whenever I create a password for an account I tend to just use very long sentences. To log into my laptop, I have to type something completely unlike "oh man here i am again logging into this stupid thing".<p>I've always wondered if this is any less secure than some nice mixed meta characters. "SS7s$@a8" as it were.<p>I can remember my sentence very easily and type it far more quickly than I can henpeck the pure random mix.<p>Also, I am very curious - if the encrypted password ends up being a uniform length N, is there any value having a passphrase longer than length N, if by that point the correspondence between the encrypted passphrases might be many-to-one with their unencrypted counterparts?<p>I feel there is so much more coffee-talk understanding to cryptography I have before I could even begin the barest math essentials of understanding it. Perhaps my naivety is founded by low math self confidence. <i>shrug</i>

Perhaps the future lies more with the "something you have" form of authentication than the "something you know", like passwords, that this article complains about.<p>For example, Google's two-factor authentication seems very secure, even with a weak password. To log in, I need to enter the ever-changing six-digit number off my iPhone as well as my regular password. Similar to this are other schemes which use any SMS-capable phone: enter your username and password on the web site, then enter the word the system just texted to me. Some banks use this to secure the addition of a new electronic bill payee, for example.<p>If you think about it, password safes, client-side SSL certificates, SSH private keys, etc., are really all just "things you have."<p>Computers aren't getting any slower; the gap between what you can remember and what they can guess is only getting smaller.

I wrote a tool for this, mouseware: <a href="http://www.fusionbox.com/mouseware/" rel="nofollow">http://www.fusionbox.com/mouseware/</a><p>It generates a memorable password using entropy from your mouse movements to seed a CSPRNG. It is completely in-browser, no data is ever sent to the server.<p>Source available here: <a href="https://github.com/fusionbox/mouseware/" rel="nofollow">https://github.com/fusionbox/mouseware/</a>

Passwords do not need to be memorable. You need one very secure master pass phrase[1] and a good password safe.<p>[1] Use diceware to generate it. Avoid swapping words out for something easier to remember (see the article for examples) and, if you need to, write it on a piece of paper while you learn it, but treat that piece of paper like a high value item.

<a href="http://xkcd.com/936/" rel="nofollow">http://xkcd.com/936/</a>

Thanks.