Source: http://computing.way...ssid/badpwd.php
I. Passwords should never be:
- Any word in any dictionary, in any language
- Any formal name or nickname, including spouse's, children's, and pet's
- Any mythological or fictional character or race
- Any name of a place (city, country, cross roads, forest, or place of natural beauty), real or fictional
- Fictional terms
- Titles of movies, books, compositions
- The name of any author, composer, musician, actor
- Any special number
- Acronyms
- Phrases
- Fables or legendary characters or places
- Combinations of letters or patterns on the keyboard
- Great license plates you've seen, one2nv, 3vom, ibuy4u, or neat word/letter combinations, aTdHvAaNnKcSe
- Religious figures, places, or events
- Anything you can imagine being collected into a list
If a password fits in a list, you can presume someone has made up that list.
II. Passwords should never be a simple algorithm applied against something in category I, such as:
- The "word" backwards
- Substituting numbers for vowels, r1ch2rd for richard
- Common substitutions for letters, 3 for e, mov3
- Appending or prefixing digits, apple639 or 123apple
- Appending or prefixing special characters, apple@ or $klingon
- Your user name
- Your user index/number (for Unix the UID and GID)
- User name owner information (for Unix the gecos field) which commonly contains your name
- Information derivable from this information: your initials
This category is similar to the first category. However, wheareas category I is static, category III depends on your account information and is dynamic.
- Your social security number
- Your student ID number
- Your phone number, your mother's phone number, your mother's maiden name
- Your passport number
- Your street address, the address where you were born
- Your license plate number
- Serial number from your camera, computer, stereo
Two final tips on password selection. First, make sure you know how many characters the system allows for a password: a good 15 character password may become a terrible password if the system only uses the first 8 characters. [The WSU AccessID password must be at least six but not more than ten characters.] Second, check your password to make sure it doesn't duplicate a bad password: a (usually) good personal password generation algorithm can generate a bad password; the good and bad may be the result of orthogonal approaches intersecting with a bad password. For example, the potentially good password mxvhall would be bad if your name was Mary Xavier Virginia Hall.