- I have a different password for each site/service online.
- I aim for a minimum of 20 random characters, spanning 0-9, A-Z, a-z and 2 specials. On some sites, I have upped this to 40 characters.
- I enable 2 factor-auth where possible.
- None of these passwords are stored anywhere, in any password storage system, password manager, on disk, or on paper.
- At no point are any of the sites where these passwords are used stored in any password storage system, password manager, on disk or on paper.
My process does involve knowledge of a master password, which again, I haven't stored anywhere, on disk or on paper. In theory, if you found out what this was, you could potentially find out the other passwords but you would still need to know what sites/services I have accounts with, and as I've just said above, I don't store that information in a readily accessible form (the process is actually all linked together using sha512 hashing (a one way process), not encryption (a reversible process)). In fact, even I can't get this information back.
FYI, my PayPal account got hacked several years ago now. That was an 8 character lower case only, random password, which I was using on other sites. That incident gave me a wake-up call so I devised my own system to generate random but recoverable passwords of any length (up to 80 characters max) for each site/service as required.
Computerphile have done some good videos discussing choosing and cracking passwords:
and it demonstrates that even replacing letters with numbers, and any other variants of this, are all now pitfalls for choosing a secure password. Only lengthy passwords with high-entropy are secure, and only if hashed using a secure hashing algorithm. Which reminds me - if you signup somewhere and they email your password back to you, at any point, well... enough said.