New password system
I am currently implementing a new universal password system, one I feel confident will cause the vast majority of would-be hackers to go find someone easier to hack. It's not impossible to hack, nothing is, but I want to make it sufficiently difficult to hack that noxious persons go after lower-hanging fruit.
1 create a base passcode. The base is a ten-digit combination of uppercase, lowercase, numbers, and special characters. It is split into two parts (and no, I will not be telling how many characters are in each part.) It is chosen specifically to have absolutely nothing to do with any of my personal info, or with any particular site, or anything at all that I can think of. It's as nearly random as I can make it.
2 generate a unique passcode for each site, typically eight to ten characters, uppercase, lowercase, numbers, and special characters. Because the unique passcode is set up specifically for each site, it is chosen in a way that makes sense to me, and probably not to anyone else.
3 put part of the base code, then the unique code, then the rest of the base code. Note that the leading few characters and the trailing few characters are always the same, but the characters in the middle, and the total number of characters, changes for each site.
Should the bad guys by some miracle manage to figure out what I use for the leading few and trailing few, they still have to work out that stuff in the middle. And the password is, overall, an 18 to 20 character password. Lots of luck breaking it. It can be done, but there are other people who have far weaker passwords. If someone were to work out what I use for the first x characters and the last y characters, they would then only have to break the middle 8-10 characters. Quite possible. But first they gotta have enough examples of my stuff to work out the base code. That would be a non-trivial exercise. If the Feds are actively hunting me, specifically, they can gather the info necessary. (Or, more likely, get a search warrant and haul me before the courts when I decline to provide them the password.) The majority of criminal gangs won't bother. And I can always make things interesting for anyone trying to break my password by altering the split in the base passcode, or by simply adding a character or two.
There are, unfortunately, some places which restrict the maximum number of characters in a password, and some places which don't allow all of the special characters, and some places which do both. I let the admins at those places know that they have an insecure site (and they just love me for it, they do) and generate a unique passcode just for them. They are the ones who case me trouble to remember the password, as they don't fit the normal pattern. I try to avoid sites like that.
There are sites which are simply not worth the effort involved in generating a secure password. (I'm looking at you, El Reg.) They get a much simpler generic eight to ten character passcode.