I use Dashlane for all logons EXCEPT financial sites (banks etc.) which I (a) remember and (b) have recorded in a safe place. No objection to LastPass etc. I just got to Dashlane first thanks to David Pogue.
I never use the same password twice.
Most passwords are composed of a string of memorable words. I keep a list of password in an online (password protected) file in code form, e.g., “town of birth” + “best friend’s nickname” (don’t use either in reality), so that I can easily reconstruct the password but almost no one else can.
Most of the time one is forced to use an e-mail address as user id. I have an address which does not include personal information. Otherwise I never use the same user id twice.
I don’t bother too much about computations of password “strength”. When passwords are at least 16 characters I feel I’m pretty safe.
Composition rules are counter-productive and reveal the ignorance of the web site managers.
Being forced to change passwords regularly is equally counter-productive (I’m looking at you www.socialsecurity.gov).
I like your approaches, they seem very thorough, except perhaps #1. Hopefully you select “memorable” passphrase with sufficient entropy; maybe you have a really good memory. I’ve considered maintaining two different password vaults to provide an additional layer of security, but the complexity seems more than I want to pursue.
I do like the idea of writing down passwords vs a password vault, which limits exposure to online attacks. Each approach has different vulnerabilities. The main challenge to writing-down is user diligence. Some people I know write down passwords of about 12 chars or so, with not-great entropy. The second problem is managing the volume of passwords. And higher entropy pwds become much less convenient to manually enter.
A large unknown is the security of the sites that authenticate your login. Obviously storing salted passwords hashes is too much trouble for many (most?) sites. So if you have any pattern to your passwords, the pattern could be inferred from leaked passwords – especially if pwd is connected to your identity. (I appreciate that’s not that likely)
Saguaro,
Just following up…
On my first item, the passwords I memorize are around 20 characters long and do not include dictionary words. There are very few of them and I use them every day so it really isn’t a difficult feat of memory. I used Steve Gibson’s Password Haystacks tool to check that the entropy is sufficiently high.
I agree that one has no idea about the security of the sites one logs on to but I trust that using unique user ids and unique, long, passwords is the best defense.