A Facebook thread by one of my friends brought this one to mind. He was asking about what the current guidelines were for strong passwords. They vary, based on the capabilities of the system. A lot of the guidance nowadays is on passphrases modified in some manner, usually with a few substitutions. The passphrases create a password that is computationally costly to brute-force and the substitution just adds to the number of combinations that have to be tried per word.
What you should never do is choose a password that can be brute-forced easily guessed (edit: typed too quick on this one). I can recall a time when I was working with a vendor and they had configured the SQL Server, as per their procedure. It was one of those "hands-off or you break support" situations. They then hit a point where they needed DBA support, meaning us. As we investigated, we found out that they had chosen a password easily guessable via a social engineering attack. It was the name of the product, in all lowercase. I guess you could say at least they chose a password, as we ran across one similar installation where the sa account was installed with no password and, to make matters worse, that's the account the application was using.
As technical defenses go on the rise, social engineering is going to be the easiest way into most systems. People, whether we like it or not, are often the weakest link because they are too trusting. The recommendation is not to choose a password that involves your name, a member of your family, or someone close to you. If your child's name is Alex, then at some point I will try various permutations of Alex to see if I can get in. If you're a big sports fan, do not choose a password that involves your favorite teams. When we had a penetration test group in, they cracked several accounts by guessing a local college followed by a number, which conveniently came out to 8 characters and matched most rules for password complexity (mixed case with a numeric). That was when our password minimum length was eight characters. It's not any longer, partially because of this particular example (but more because of the cheapness of storage for storing rainbow tables).
It's not hard to choose a memorable passphrase that can't be connected to you. Don't choose one that can be social engineered. Don't choose a regular password that can be social engineered. If you're a vendor, don't install your product with a default password that's tied to your or the product's name. If you're a consultant, don't configure a password matching the vendor or product's name. It's among the first sets of passwords an attacker will try. They don't have to break out brute force engines to give a few of these a shot. Be smart about your password choices.
