http://www.wired.com/opinion/2012/10/passwords-and-hackers-security-and-practicality/
Fighting Hackers: Everything You’ve Been Told About Passwords Is Wrong
We – the users – are supposed to be responsible, and are told what to do to stay secure. For example: “Don’t use the same password on different sites.” “Use strong passwords.” “Give good answers to security questions.” But here’s the troublesome equation:
more services used = more passwords needed = more user pain
… which means it only gets harder and harder to follow such advice. Why? Because security and practicality are in conflict.
But they don’t have to be.
And it starts with recognizing that a lot of security advice hurts more than it helps.
Because hackers know all our tricks. Online criminals know much more about passwords than the good guys do.
They fool us into thinking that bad passwords are good – and that some good passwords are bad.
So how do we select strong and memorable passwords? Here’s how: Think of a story, something weird and memorable that happened to you. Like that time you went jogging and stepped on a rat (ugh). Your password? “JogStepRat”: Your personal story boiled down to three words. If this really happened to you, you won’t forget. And no one else can guess it – unless you’ve told everyone that story, but then you’d just pick another, more embarrassing source story you’d never share!
The best security questions, generally speaking, are those where:
there are many possible answers;
others can’t find the answers using a quick Google search; and
we can actually remember the answer, but others would have a hard time guessing it.
