Do NOT use a password manager!
You can’t predict what changes will be made to the terms and conditions (the contract) will be when the company behind it gets bought out — Twitter, for instance, collects personally identifiable data and reserves the right to sell that data in the event that the company is sold.
Furthermore, it all goes wrong when the password manager gets corrupted and you have no idea what the passwords were in the first place.
Don’t use password generators either— just because the criminals behind the one you use don’t know you used one from their list that doesn’t mean it won’t be used against you by someone using that very same list afterwards.
Use memorable passwords instead:
- Think of a passphrase. No, not “Correct Horse Battery Staple” or any other string of real words that will be easily broken by a simple, iterated dictionary attack — the xkcd approach is weak. Think of something you won’t forget easily — like “Think of a passphrase (something you won’t forget easily)”
- Take the first letter from each word: toapsywfe
- Add appropriate punctuation: toap(sywfe) — if there isn’t any, just add some somewhere, like a comma where you might reasonably add a bracket in and/or add something at the end (like a ‘!’)
- ‘leet’ it: 704p(5ywf3) or 704p,5ywf3!
- Capitalize nouns: 704P(5ywf3)
It’s unique to you, easily remembered, hard to crack, can’t be slurped up by a third party password manager, won’t be ‘accidentally’ replicated by a password generator.
You can make life easier by extending a core passphrase with elements unique to the site or service you are using:
Let’s say your core passphrase is “This is my core passphrase — the unique extension is:”. All you have to do is add a unique extension to it for each different password you need that can be recalled with reference to the site or service in question.
So, for your Amazon account, for instance, you might add “Amazon Online Shopping”
Your Amazon account password then becomes “71mcP — 7u31:405”