Appending a number to a common word (password1, say) is an often-used method for complying with 'Must contain a digit' rules. And so are substituting numbers or symbols for letters - things like 'p@ssw0rd' - and using patterns of keyboard keys such as 'edcrfvtgb'. The problem is, hackers are well-aware of such techniques.
As soon as you invent a new method for creating better passwords (such as padding a shorter password with repeated punctuation), the bad guys adapt accordingly. So don't count on cleverness to protect your password. It might take a few milliseconds longer to guess '1d0ntkn0w' than 'Idontknow', but remember that you're up against machines that can make any substitution in the blink of an eye.
You want to make your passwords 'unguessable', even by someone who is smarter than you. The best way to do this is to construct them from random strings of characters, including uppercase and lowercase letters, numbers' and punctuation. Though it's very hard for a human to create a truly random password, it's quite easy for a computer to do. So once again, it's better to rely on a password manager than on your brain.
14 is the new 8
Let's imagine that an attacker is determined to get into your account, and the quick-and-easy hacks (such as checking dictionary words, along with common mutations) have failed. What then? The next step for the hacker is to use brute force, trying every possible password one by one.
Unfortunately, it's getting easier and easier to find a match with this technique. A few years ago, a reasonably powerful system might have been expected to check a million potential passwords per second. Today, a single off-the-shelf PC can check several billion passwords per second, and a network of computers can check many times that number.
As a result, the advice you've read in the past about what constitutes a secure password may no longer be valid. For example, a password with eight or nine random characters is no longer sufficient to protect against a brute-force attack. Experts today recommend that you use longer passwords, often 12 to 14 characters. And that's for passwords randomly generated by a computer. Passwords you create by hand must be even longer to have the equivalent strength.
All password managers allow you to select the password length you want; and our advice is that for any password that can be entered for you by an app (or copied and pasted), you might as well use the longest password the target service will accept. After all, the same keystroke that fills in a nine-character password can fill in one with 14 characters.
Of course, you must still commit certain passwords to memory or, for one reason or another, enter them manually. For such passwords, you can use a longer but less complex character string to achieve comparable security.
Sign up for CIO Asia eNewsletters.