Password Creation Rules
1. Be someone capable of remembering things, and knowing HOW to remember things.
2. Make up a word that is pronounceable nonsense, containing no typical English letter sequences. i.e. don't automatically follow a 'q' with a 'u'; use 'f' where 'th' might go, etc. Be creative.
3. Identify and memorise two or three symbols you will *never* use in a password, e.g. "(" and "%".
4. So you get something like "meguphlubateaqin" (which you'll pronounce, in your mind, like "mEH-goo-flubb-ate-a-quin" (it comes off the tongue easily enough).
5. Add the odd digit to get "me9uph1ub8aqin"—note '9' for 'g', '1' for 'i', '8' for 'ate', etc. Zeroes, fives, threes and sevens can all work for 'o', 's', 'B' and 'T' as you like.
6. Bung in a symbol or two if you wish, for say "me9u-ph1ub+8aqin".
7. Write it down a few times and when you put it into your password book/encrypted list/whatever, remember to break it up into disordered chunks, separated by the symbols you memorised as never going into a password (step 3), so you get, say "8aqin%me9u-(ph1ub+%".
*Do not * put all your trust in a "secure password store"!
8. You do not need to remember the broken order of step 7, because as soon as you see the chunks of the password, the word itself will speak in your mind (because it's ridiculous and memorable).
9. I haven't mentioned upper-case, but *of course* use the odd capital here and there.
10. You now have a 16-byte password using around 70 different possible values in each position. It is not guessable by dictionary attack. Assuming that wherever you have applied this password the guardian software is so abysmally crap (and fast) that an adversary could try a brute-force attack of one million attempts per second—to exhaust even half the possibilities would take 5 quadrillion years.
None of this is difficult. With practice it is literally childishly easy.
DO NOT use the same password anywhere twice, ever.
DO NOT take GCHQ/NSA "advice"—it's intended to make their access easier, and they hate and fear strong passwords. Be someone who is *not* afraid of changing passwords; making them impossible to guess; and saving them in a way that *still* makes them useless.
None of this helps if the guardian software (which checks your password to let you in to your service) is crap. Your password must be securely transmitted, properly hashed, hashes properly seeded, databases secured, etc, and that's why El Reg and others do a great job of embarrassing the corporate f***wits who are too lazy or incompetent to enforce proper security.
You will be pleasantly surprised and how good you get at knocking up horrible passwords that you can easily remember.
a. With a nonsensical, weird password, you may have plausible forgettability.
b. In any case, if you need deniability, encrypt at least twice, with the first level (e.g. disk-level) encrypted to look like random garbage, which you can sacrifice when you've lost enough fingernails, and the second, invisible, deniable level being as many as needed low-bandwidth steganographs ... even Homeland Security can't jail you for keeping 10,000 poor-quality family photos on your laptop.
c. You *could* use fingerprints, but that's the same as as printing your password in big letters on everything you touch.
d. You *could* use facial recogntiion, if you want to make it even more pitifully easy for the Stasi to break into your device, just by waving it at you.
e. Improve this technique using extended characters, because there are many which, in print or screen, are indistinguishable from ordinary ones. The ALT-NUM sequence is your friend.
The choices: are yours.