I have way too many passwords. They’re based on a common* mnemonic, rearranged into anagrams, and then with letter replacement. I have two sets of three passwords – one set for personal use, one set for work. The three passwords in each set are for varying security zones. The most complex password is for high-security accounts like my network login (in the work set), or my bank account (in the personal set). Then there’s a medium security one for stuff like logging into my home computer or wireless router. It would suck to get pwned, but I can always wipe everything and reinstall off the backups in my closet. At work I use a password like that for browser security, and important web site logins like CDW or sciquest. Then I have a least-important password for stuff like web forums, where having my account stolen would be embarrassing at worst.

One thing that happens doing this, is that the most important passwords are the ones I type the least.  The least important passwords get stored in the web browser**.  I could use throwaway random passwords for this, with email recovery if I lose it from the browser cache.  It’s also really really important not to store high-security passwords in your web browser, and this scheme discourages doing that.  You don’t store a higher-security password in a lower-security one.  Your web browser history is less important than your bank account.  Browsers and OSes get compromised by bad people, and you don’t want to let them at your most important stuff.