I feel like I've read these comments before...
Every time a new study, database theft, or webcomic comes up regarding passwords, everyone has an oar to stick in. On one side, you have hardened IT security and ops bods; the folks who have been assaulted from both sides over the years and want nothing more than to tell the users and hackers to fvck off and die. On the other side, you have IT professionals and other super-users who come here who want nothing more than to access their bank accounts, email, forums, etc. without having to worry about complex password requirements or resetting those same passwords because someone made a hash (no pun intended) of database security and now a table dump of plaintext passwords with usernames is floating around out there.
I'm more of the latter group, though I did work in IT ops long enough to have developed a certain amount of contempt for users who think "letters and numbers, 6-12 character long" is an onerous password requirement. However, with my hundred or so logins between work, play, and educational pursuits, it's hit a point where every time a breach occurs, I'm likely impacted, meaning I have to go out again and change my passwords that might be related to the email address or username I used for the compromised site.
Because of that, I've developed a certain amount of cynicism over the years about the value of coming up with a 16 to 20 character password (assuming it's accepted by the site) that uses numbers, letters, special characters, etc. As amusingly debated above about the safe, the problem is that we don't know where the safe is, how it's protected, and how hard it is to penetrate. And that's assuming that your aren't being spear-phished or compromised by a man-in-the-middle attack that doesn't even care about best practices being used by both your safe-keeper and yourself (spear-phishing is getting better and better and even the smartest person can be hoodwinked by a well-crafted attack, or be surrounded by people who can be).
So for those most important sites, accounts, etc., assume the worst and make a unique password that is complex, enable two-factor authentication if possible, device-logging and notification, and even treat the security questions and answer routine as password-esque, keeping a hard copy of the questions and answers offline and in your possession. That's about all you can do, unless you have the money and resources to create a dedicated link to the site, get biometric verification implemented, and require some kind of at-login phone-call to a randomly generated number that always goes to your secured and special built phone.
Everything else is a crap-shoot and should be treated as such.