My clients and my friends ask me sometimes what the best policies are for password management. I don’t know if these are the best but this is what I do and recommend.
Use multi-factor authentication when available
Services like Facebook and Gmail allow you to configure a multi-factor authentication system (Google calls it “2-step verification” and Facebook “security codes”). In that system you need three credentials: a username, a password and a one-time token. That token is either sent to you via SMS or generated using a special application on your smartphone. Online banking systems also have this kind of authentication, just a bit more complicated to use as it usually involves your credit card and an extra device. When you have multi-factor authentication activated you can choose a password that is easy to remember, but not obvious, or use a pass-phrase. John Walker has a nice pass-phrase generator at Fourmilab. If your email provider does not offer multi-factor authentication, change it. Or use your Facebook address as a back-up address where you will receive password resets for other services. If you don’t do that and your email is hacked then most probably everything else will be hacked too.
Use third-party authentication
When a web-site doesn’t have multi-factor authentication but allows you to connect through a third-party (like Facebook or Google) where you have already configured multi-factor authentication, then use it.
Use passwords you cannot remember
For services where you cannot have multi-factor (even through a third-party) use a strong password you cannot remember (one different for each service) and let your browser remember it for you. Another option is to not let the browser remember the passwords and ask a new one each time. But it’s a bit impractical for websites you use often. In any case, never be afraid to ask for new passwords when necessary (like when you are not using your own computer). I use this service to generate my passwords. I have a bookmark in my browser and I get a new, randomly generated, 12 signs password each time I hit it [Edit: I now use 20 signs passwords]. You can use a pass-phrase too, you just don’t need to remember it.
Protect your computer with a pass-phrase
Since most of your passwords will be stored with your browser, it’s important that access to your computer is password protected too. Use a pass-phrase or a strong password you can remember. Make sure the computer goes into lock mode after a few minutes of inactivity. Same thing with your smart phone and your tablet.
Additional advice, experiences or questions will be welcome in the comment section :)