XKCD password scheme is broken

According to Bruce Schneier, the XKCD password scheme is no longer a good practice to follow:

(…) the oft-cited XKCD scheme for generating passwords – string together individual words like “correcthorsebatterystaple” – is no longer good advice. The password crackers are on to this trick.

I suppose it is still better than the Tr0ub4dor&3 scheme anyway, but Schneier suggests his own:

My advice is to take a sentence and turn it into a password. Something like “This little piggy went to market” might become “tlpWENT2m”. That nine-character password won’t be in anyone’s dictionary. Of course, don’t use this one, because I’ve written about it. Choose your own sentence – something personal.

But looking at the other examples he provides, this falls short when it comes to remembering it, or to mentally recall the transformation. Did I use a capital letter, a 2 substitution for to, an exclamation mark…

Don’t fall for the “base string + variant” scheme anyway, where you always use the same base string, then add a (short) suffix depending on the website. For instance timbsp4ws (“this is my basic string password for websites”) followed by blacne (inspired from “_blo_g._ac_kx._ne_t”). An attacker that has compromised your password on any given website could derive your password for other websites, e.g. it would be timbsp4wshoco on hotmail.com.

So I’d stick to the Password Safe approach, or any other password vault that suits you (side-note: I’d keep it local to my computer though, not sync’ed in the cloud). One very long and hard-to-guess password to rule them all, and each individual site uses a generated random long password.

Bruce uses 12 characters by default, I use 32; but beware that this causes issues on some ill-conceived sites. Often, they limit your password length to 12 or even 8, but have the courtesy to let you know. Sometimes however, the webiste will accept your 32 characters password but actually silently truncate it (I believe phpBB caused me some troubles in the past).