Do NOT use a password manager! You don’t know what changes to the terms and conditions (the contract) will be when the company behind it gets bought out. Furthermore, it all goes wrong when the application installation gets corrupted and you have no idea what the passwords were in the first place.
Don’t use password generators — just because the criminals behind it don’t know you used one from their list doesn’t mean it won’t be used against you by someone using that very same list afterwards.
Use memorable passwords instead:
- Think of a passphrase. No, not “Correct Horse Battery Staple” or any other string of real words that will be easily broken by a simple, iterated dictionary attack — the xkcd approach is weak. Think of something you won’t forget easily — like “Think of a passphrase (something you won’t forget easily)”
- Take the first letter from each word: toapsywfe
- Add appropriate punctuation: toap(sywfe) — if there isn’t any, just add some somewhere, like a comma where you might reasonably add a bracket in and/or add something at the end (like a ‘!’)
- l337 it: 704p(5ywf3) or 704p,5ywf3!
- Capitalize nouns: 704P(5ywf3)
It’s unique to you, easily remembered, hard to crack, can’t be slurped up by a third party password manager, won’t be ‘accidentally’ replicated by a password generator.
You can make life easier by extending a core passphrase with elements unique to the site or service you are using:
Let’s say your core passphrase is “This is my core passphrase — the unique extension is:”. All you have to do is add a unique extension to it for each different password you need that can be recalled with reference to the site or service in question.
So, for your Amazon account, for instance, you might add “Amazon Online Shopping”
Your Amazon account password then becomes “71mcP — 7u31:405"