The fewer types of characters in your password, the longer it must be. A 15-character password composed only of random letters and numbers is about 33,000 times stronger than an 8-character password composed of characters from the entire keyboard. If you cannot create a password that contains symbols, you need to make it considerably longer to get the same degree of protection. An ideal password combines both length and different types of symbols.

Use the entire keyboard, not just the most common characters. Symbols typed by holding down the “Shift” key and typing a number are very common in passwords. Your password will be much stronger if you choose from all the symbols on the keyboard, including punctuation marks not on the upper row of the keyboard, and any symbols unique to your language.

Think of a sentence that you can remember. This will be the basis of your strong password or pass phrase. Use a memorable sentence, such as “My son Aiden is three years old.”

Finally, substitute some special characters. You can use symbols that look like letters, combine words (remove spaces) and other ways to make the password more complex. Using these tricks, we create a pass phrase of “MySoN 8N i$ 3 yeeR$ old” or a password (using the first letter of each word) “M$8ni3y0″.Noskian algorithm

Take a word that describes your favorite food or hobby and intersperse numbers and special characters.

For example, start with apple, add a special character, capitalize at least one letter, and add your two lucky numbers to make:

Ap&pl48E
Or start with tennis and turn it into te10N*ns
Suppose your street address is 2572 some street, USA. Take the reciprocal i.e. 1/x of the numeric address. 1/2572 = 3.8880248833592534992223950233281e-4. Drop the decimal and take as many digits as the system will allow for your password. Like the first eight digits – 38880248. All you have to remember is your street address and 1/X. Now even you don’t know your password until you need it! When you are ready to change your password just use the reciprocal with say, your grandma’s phone number.

how about X^2/squareroot(x) where x is a number you can remember like grandma’s phone number. Again drop decimals if need be.

There are 4 basic ways to break a password.

· Any password can be broken given enough time and computer cycles. This is called a brute force attack. Generally the longer the password the longer it takes to break it!

· Dictionary attacks- The hacker just tries all or many of the words in the dictionary usually starting with the short common ones like “cat”, “dog” etc.

· Personal attacks – A hacker doesn’t have to know you personally to use this kind of attack. Just your phone number, name, address etc.

· Insider attacks – someone at work sees your password written on a piece of paper, sees you type it in, or heaven forbid you give it to someone. No one can protect you against the last one but you.

Lets try some passwords:
aty;nva {Just type it.. Your key press sequence will make a small diamond symbol}

GrandMotherBoard {just for fun}
F1toF12
EscfromWindows
Enterin2Linux
5*Hotel

Ref:

http://its.syr.edu/accounts/psswdsug.cfm

http://itim.tamu.edu/good_passwords.shtml

http://www.itc.virginia.edu/accounts/passwords.html

http://www.microsoft.com/athome/security/privacy/password.mspx

Cain and Abel : The top password recovery tool for Windows

UNIX users often smugly assert that the best free security tools support their platform first, and Windows ports are often an afterthought. They are usually right, but Cain & Abel is a glaring exception. This Windows-only password recovery tool handles an enormous variety of tasks. It can recover passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols. It is also well documented.

John the Ripper : A powerful, flexible, and fast multi-platform password hash cracker
John the Ripper is a fast password cracker, currently available for many flavors of Unix (11 are officially supported, not counting different architectures), DOS, Win32, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. It supports several crypt(3) password hash types which are most commonly found on various Unix flavors, as well as Kerberos AFS and Windows NT/2000/XP LM hashes. Several other hash types are added with contributed patches. You will want to start with some wordlists, which you can find here, here, or here.

THC Hydra : A Fast network authentication cracker which support many different services
When you need to brute force crack a remote authentication service, Hydra is often the tool of choice. It can perform rapid dictionary attacks against more then 30 protocols, including telnet, ftp, http, https, smb, several databases, and much more. Like THC Amap this release is from the fine folks at THC.

Aircrack : The fastest available WEP/WPA cracking tool
Aircrack is a suite of tools for 802.11a/b/g WEP and WPA cracking. It can recover a 40 through 512-bit WEP key once enough encrypted packets have been gathered. It can also attack WPA 1 or 2 networks using advanced cryptographic methods or by brute force. The suite includes airodump (an 802.11 packet capture program), aireplay (an 802.11 packet injection program), aircrack (static WEP and WPA-PSK cracking), and airdecap (decrypts WEP/WPA capture files).

L0phtcrack : Windows password auditing and recovery application
L0phtCrack, also known as LC5, attempts to crack Windows passwords from hashes which it can obtain (given proper access) from stand-alone Windows NT/2000 workstations, networked servers, primary domain controllers, or Active Directory. In some cases it can sniff the hashes off the wire. It also has numerous methods of generating password guesses (dictionary, brute force, etc). LC5 was discontinued by Symantec in 2006, but you can still find the LC5 installer floating around. The free trial only lasts 15 days, and Symantec won’t sell you a key, so you’ll either have to cease using it or find a key generator. Since it is no longer maintained, you are probably better off trying Cain and Abel, John the Ripper, or Ophcrack instead.

Airsnort : 802.11 WEP Encryption Cracking Tool
AirSnort is a wireless LAN (WLAN) tool that recovers encryption keys. It was developed by the Shmoo Group and operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered. You may also be interested in the similar Aircrack.

SolarWinds : A plethora of network discovery/monitoring/attack tools
SolarWinds has created and sells dozens of special-purpose tools targeted at systems administrators. Security-related tools include many network discovery scanners, an SNMP brute-force cracker, router password decryption, a TCP connection reset program, one of the fastest and easiest router config download/upload applications available and more.

Pwdump : A window password recovery tool
Pwdump is able to extract NTLM and LanMan hashes from a Windows target, regardless of whether Syskey is enabled. It is also capable of displaying password histories if they are available. It outputs the data in L0phtcrack-compatible form, and can write to an output file.

RainbowCrack : An Innovative Password Hash Cracker
The RainbowCrack tool is a hash cracker that makes use of a large-scale time-memory trade-off. A traditional brute force cracker tries all possible plaintexts one by one, which can be time consuming for complex passwords. RainbowCrack uses a time-memory trade-off to do all the cracking-time computation in advance and store the results in so-called “rainbow tables”. It does take a long time to precompute the tables but RainbowCrack can be hundreds of times faster than a brute force cracker once the precomputation is finished.

Brutus : A network brute-force authentication cracker
This Windows-only cracker bangs against network services of remote systems trying to guess passwords by using a dictionary and permutations thereof. It supports HTTP, POP3, FTP, SMB, TELNET, IMAP, NTP, and more. No source code is available. UNIX users should take a look at THC Hydra.