Totally agree (well more or less) the use of long random passwords using lots of alphanumeric characters along with various dashes, exclamations and other punctuation symbols are the best option. Keep them all unique and use 2 factor when it's available.
I don't use 1password or any others though, although I will say they look like a good option, with good security measures. But call me paranoid if you like, but the last thing I'm about to do is go to all of that trouble and then store all of my most guarded passwords in one centralised location via an internet service. I know they have an offline option as well but I'm just too sceptical these days with the continual stream of hacks on websites and services.
I know it's not an option to everyone but I use my own password manager which has security up the wazzo and no internet access whatsoever. When I need to sync between devices it's done locally, off-line, using an encrypted transfer.
Overkill? Probably, but I trust me more than I trust anyone else
You don't actually need to make them crappy, a pwd should be remembered.
I for example use something in the vein :
Da3ip2YulWàzDéBèst!Eva (no ones getting this kind of password EVER unless I gave it them)
Means : The trip to Montreal (Yul) was the best!
Ridiculously easy to remember and yet absurdly secure.
I often reorg those type of pwd to create other variants just as crazy like
DéBèst3ipEvaWàz2Yul?
The best trip ever was to Montreal ?
Can produce a whole suite of very very strong passwords.
Being well aware of phishing attempts is the best way to protect from compromise.
If your uncertain of an email or sms notification, go directly to the site them purport to be and never follow the link they offer EVER. Only follow those kinds of link if you yourself produced them (say by going to the real site and triggering them say my changing your password).
[doublepost=1490332791][/doublepost]
Hackers don't guess your password.
Right.... Hackers are "magicians"..... Where on earth do you think they get the password.
They get it from an encrypted db they downloaded (flat file or stored in an actual db) were you but a real bad password and they can crack it through a dictionary, or they do it through phishing and social engineering.
They could also catch your logging by putting themselves in between you and the real site and fake that site's login screen (that's the whole spiel of the man in the middle attack). But, that's a much harder one to actually do... Don't log with your most valuable passwords (banking, or MS, or Apple) on a public network.
Of course, your password is as safe as the crappiest place you log into with it. If that place has very poor programming, they could get this password in the clear somehow. But, that's not usually how this happens. Social engineering is were most of leaks happen.
The funny thing is that often the password is well protected but not the rest of the users data. So, they could get your credit card info much easier than they could your password if they get access to the backend db. That's what happened in big leaks like the Target one.