When you pick a password, even using the fairly secure means above, you are unlikely to have an even character distribution. That is, some characters will be much less likely than others. To give some perspective, there are 26 lowercase alphas, the same uppercase, 10 numerical digits, 32 punctuation marks, and the space. How much punctuation do you generally put in your passwords? Especially the obscure punctuation like '{' or '\' or '~', or '"' will be used rarely. So, it seems reasonable that many of the brute-force attacks will avoid such characters because they are so uncommon even in non-dictionary passwords. If you use these less common characters, it will take longer for them to find your password.
If you use them in proper proportion, the search space crackers must cover widens up a great deal (it increases the base of the exponent by a substantial factor, and this is taken to the power of around 8... a noticeable improvement!). As pointed out above, if an administrator requires passwords to be very close to even, that would shrink the search space down again (though if done with a reasonable degree of leeway, it would be excluding a very small fraction of search space in doing so); but here I'm talking about actual passwords that you pick. There are several ways to do devise a suitably punctuation-laden password:
Remembering the punctuation
If you are using an abbreviated phrase, pick one which includes punctuation, or words that can be concisely represented as symbols. Try to use this to get reasonably close to proportional representation of characters:
- Invention is ninety-nine percent perspiration, one percent inspiration
I=n-n%P,o%I
Note the non-usage of 99% literally, which would be too attractive to a dictionary, and the capitalization of nouns. Having capitals that are not the first character helps.
- Sir, at long last: do you have no dignity?
S,@ll:dyh0D?
zero for 'no'. Including a trailing end-mark is debatable. This one is a little short on capital letters and numbers, but it's doing okay on punctuation. Do not be afraid of the double letter.
To aid in this, it may help to think of some word mappings to punctuation. If you play roguelike games (e.g. nethack, adom), punctuation already has lots of additional meaning for you, but these meanings are not optimized for constructing meaningful phrases. More useful would be a shorthand created for this purpose:
- @ I, me (borrowed from said games)
- ? question, ask, debate, thought...
- ! aha! surprised, realized, resolved, fought
- * star; words associated with 'Star' as a tarot card
- ~ 'well' or any other ambivalence
- # sharp, hash, textile, pound
- ` grave (this is the grave accent)
- etc.
If you have a hard time remembering your entries as a mapping from character to concept, don't worry; you'll mainly be doing the reverse, easier mapping. That is, though any character could have many ideas it stands for, there are not so many characters an idea could be represented by.
Key Shifting
If your pass phrase does not have many numbers or punctuation marks in it, you can shuffle the keyboard around somehow. This would be pathetic encryption on a message, but as a method to expand the search space of passwords, it works admirably. How could you shuffle the keyboard?
- Push everything three keys to the right. 'a' becomes 'f', but more importantly 'p' becomes '\'.
- Roll the keyboard up-left or up-right one.This is easiest for those who can touch-type; just use 'qwer' and 'uiop' as your home row. This gives a lot of numbers and the number-based punctuation.
- Roll the keyboard one more every character. 'asdfgh' would become 'aw3vgy'. This is not so easy.
- Reflect the keyboard. That is, look at the space between y, u, h, and j on a standard qwerty. Reflect your character across this point. 'z' becomes '=' and 'x' becomes '-'; 'm' becomes '6'. This may be a bit of a pain in the neck, but it does hit a lot of the more obscure characters. So, it is usable for passwords that are both important and do not need to be entered often.
Shifts
You should have about half your password typed with the shift key down. Doesn't matter whether it's a letter or not. Alternating isn't particularly strong, but it's better than nothing. You could instead follow the stress of the phrase, or capitalize the nouns as I suggested. This should come naturally to German speakers.
Really long passwords
If the maximum number of characters in the password is large, use your room! You can deal with a small character set and even sticking with proper english words if you use enough of them. If you use a complete sentence, it'll mean something, which will help keep it memorable. Just don't pick famous sentences for this.