Let’s just start this off with what to avoid - password reuse. Full stop. Passwords based on knowledge are also bad (e.g. your mothers maiden name). Finally single word passwords (even if you add a number and symbol on the end - eg Password1!) are also bad as they've been seen so many times before.
Password1! has been seen 4,655 times before
Source: Have I Been Pwned on 12th Oct 2021
Unfortunately as there have been so many data breaches over the years, the volume of data swirling around online forums, torrents and the dark web provides a massive dataset for criminals to work from. Password reuse means that if one account is compromised then the same credentials can be used to get into other sites and services you use.
for any given large set of users there will likely be some who are using very common passwords
Source: UK National Cyber Security Centre May 2018
Given how many sites use your email as your username, once they have a working email and password combination these can then be retried on other services.
I love the advice from the UK National Cyber Security Centre (NCSC) on this, they recommend taking the three (why not go nuts and try four) random words for passwords you have to remember. For everything else use a password manager. This is significantly better than either reusing passwords, or following a memorable scheme whereby if one password is disclosed your method is open for all to see. Make sure these are truly random words though and not based on things you (or others) know about you.
This is where a password manager comes in. Use one of these and you won't have to remember anything other than one strong password for that. Typically you install a browser extension and mobile app then your passwords will be auto-generated and filled.
Another benefit to this is the password manager only offers to fill the password in if you are on the correct site.
I feel they’re a better option over browser password managers as they are not just limited to websites and typically also support notes. If that seems too complicated though then a browser password manager is certainly better than nothing at all!
Personally I recommend Bitwarden (there’s a free single user option) which supports multi factor authentication (MFA) in the free edition and hardware based MFA such as U2F tokens with paid plans. 1Password is also a popular choice, though quite a bit more expensive. You can get family plans on either which allow you to share the accounts you want to with family members (eg. Netflix), whilst being able to maintain strong, highly random and therefore unguessable passwords.
Other articles in this series: