Some random thoughts on this topic:
- I use Dashlane for all logons EXCEPT financial sites (banks etc.) which I (a) remember and (b) have recorded in a safe place. No objection to LastPass etc. I just got to Dashlane first thanks to David Pogue.
- I never use the same password twice.
- Most passwords are composed of a string of memorable words. I keep a list of password in an online (password protected) file in code form, e.g., “town of birth” + “best friend’s nickname” (don’t use either in reality), so that I can easily reconstruct the password but almost no one else can.
- Most of the time one is forced to use an e-mail address as user id. I have an address which does not include personal information. Otherwise I never use the same user id twice.
- I don’t bother too much about computations of password “strength”. When passwords are at least 16 characters I feel I’m pretty safe.
- Composition rules are counter-productive and reveal the ignorance of the web site managers.
- Being forced to change passwords regularly is equally counter-productive (I’m looking at you www.socialsecurity.gov).