re : "shocking..."
I'm in total agreement.
At work alone, I have to know passwords for 13 databases currently. These last 28 days and must be a mixture of upper and lowercase, include at least one number and be at least 8 characters long. If we then add in all the other passwords, for websites, applications, networks etc., the total comes to nearly 40.
Do I write them down? Of course I do!
So, what's the answer?
Unfortunately, there is no simple answer, otherwise we would already be using it.
However, I would make one request - please stop building websites which require users to have passwords for no damned good reason. It's cumbersome and unnecessary.
I shouldn't need to register a password with Tesco/Sainsbury's just so I can browse the online shelves. You don't ask me for ID when I enter a Tesco/Sainsbury's store, so why do it online?
Security is a great idea, but if it prevents legitimate users from using the software or encourages insecure methodologies, it's not working correctly.