After reading a lot of related literature and looking at a ton of habratopics (links to interesting ones are given at the end of the article), I decided to summarize the information about the main methods of generating a strong and memorable password.

Let me start by saying that I myself use the wonderful program KeePass to generate and store my passwords. Its functionality is quite sufficient for all my modest webmaster needs. Its main disadvantage is the fact that it also requires you to remember one master password. Therefore, all this fuss around coming up with a password also concerns me and all the happy owners of the KeePass program or its analogues, because You still have to come up with one password.

Let's talk about hacking methods

To understand the full depth of the problem, I will devote a couple of lines to the hacking technique. So, how can an attacker find out/guess/guess your password?
  1. Method of logical guessing. Works on systems with a large number of users. The attacker tries to understand your logic when creating a password (login + 2 characters, login in reverse, the most common passwords, etc.) and applies this logic to all users. If there are many users, very soon a collision will occur and the password will be guessed;
  2. Dictionary search. This type of attack is used when the database with hashed passwords is leaked from the server. It can be combined with the replacement of letters (typos) or with the substitution of numbers/words at the beginning or end of a word as a prefix or suffix. Dictionaries typed in the wrong keyboard layout are also used (Russian words in the English layout);
  3. Searching through a table of hashed passwords. An advanced method for cracking passwords, when the hashes have already been generated and all that remains is to find a match in the database for the hash to match the password. Works very quickly even on weak cars and leaves no chance for owners of short passwords.
  4. Other methods: sociotechnics and social engineering, the use of keyloggers, sniffers, Trojans, etc.

Password strength

Summarizing the information obtained from various reliable sources, I will highlight the main features of a password that is resistant to hacking (by hacking I mean searching through hash databases, when the hashing algorithm is known in advance):
  1. Password length (the longer the better), for advanced cases it is recommended to use a 15-character password;
  2. Absence of dictionary words and parts of common passwords in the password;
  3. Lack of templates when creating a password (by template I mean a logical algorithm for generating a password, for example: “Med777vedev”, “12@ytsu@21” or even “q1w2e3r4t5”);
  4. Stochastic sequences of characters from various groups (lowercase, uppercase, numbers, punctuation marks and special characters);
However, we are all people with rather limited abilities to remember incoherent information, so passwords that fit the parameters described above, although they will be very resistant to hacking on the one hand, but, on the other hand, they are very difficult to remember. Therefore, let's consider less paranoid options for creating and remembering passwords.

How do people remember their passwords?

Having analyzed the methods of generating passwords for Habrapeople, I came to the conclusion that the main methodology for remembering a password is based on drawing up a logical or associative series. All sorts of distortions of words are also used. These could be:
  1. Domain names interspersed with login (“gooUSERglcom”, “UmailruSer”);
  2. A certain standard phrase that is attached to the domain (“passgoogleru”, “passhabrahabrru”);
  3. A common word interspersed with significant numbers and other characters (“321DR67ag0On”, where 32167 is a cheat that summoned 5 black dragons in Heroes of Might & Magic);
  4. Russian words in English layout (“,k.lj)