Here are my best practices for online passwords:
- Do not reuse passwords with different accounts. Ever. There is a major, often successful cyber attack pattern used against those people who reuse passwords.
- Create a unique, long, complex password for every website where you have an account. 16 or more random characters is ideal.
- Because #2 is very difficult without some automation or manual ledger, use a high-quality, attack-resistance password manager and let it generate and store the passwords for you. Either LastPass or 1Password are good choices.
- Use the tutorial at the bottom of this answer to set a memorable, yet highly attack-resistant master password for your password manager.
- Do not change your password for any online account unless your password managers’ built-in notifications about password compromise alert you to the need to change it.
Thanks to XKCD for the fantastic cartoon tutorial!