We are neglecting to list the world's favorite option: Have one weak password and use it at all your sites. Any of these are infinitely better than that strategy.
Using a single strategy is not practical for most people. It's best to put a little effort into your plan. Categorize your sites by risk level. See our password worksheet. Use different strategies for different risk level sites. For example, you may choose a formula approach for your highest risk sites, such as online finance, tax preparation, certain email, and dating. For moderate sites, you may use a password manager to generate unique passwords and remember them for you. For your lowest risk sites that store no more than a few settings, you can re-use a low strength password.
The four top solutions are:
The password manager: This is software such as lastpass or roboform, which manages your passwords for you. They store encrypted copies of all your sites / passwords and fill your web forms for you. You just need a single strong password to get any other password. The argument is what happens when they get hacked, or you have a keylogger on your machine?
(A variation of this is your browser’s ability to remember passwords, which is a very bad idea. Most browsers have an option to show you your password in plain text. Someone can walk up to your computer and look right through your passwords. If you are going to use a password manager, at least use a third-party product.)
The password list or book where you keep site names and passwords: The argument against this is losing the book. You can easily circumvent the issue by using a short hand in your notes. Instead of writing thecrimson.com / [password], you could write tcn / [password] . You know that tcn means the crimson, but would the person who picked up your book know? That depends on if they know you, or they found it laying somewhere.
The password hasher: This runs a weak password through an algorithm using the site name as a seed. The best known of these is the Stanford Pwdhash. This is a simple tool that you enter the site address and a password. It then creates a more complex hashed password from it. For example, I used thecrimson.com for the seed, then used 123456 for the password, and it generated LPdmlY40. The argument with this is that you are tethered to a tool. If you can’t get to the tool for some reason, you’re stuck with resetting your password. Also, if you use this, use a stronger password than 123456 to build your hash. Some password hashers use plug-ins to simplify use. One such tool is SuperGenPass.com.
Your brain and a system: This is our recommendation. We are an advocate of the password sandwich. Our Healthy Passwords book is about this, so this will be a very brief explanation. This is where you create a short ingredient list. Preferably, two weak ingredients (the bread), and one stronger ingredient (the main ingredient) is used. You connect them with special characters (condiments). The system part is how you assemble it. First, We recommend one piece of bread be a site code such as tcn for thecrimson. Second we recommend an expiration code for the other piece of bread such as q2 for expires second quarter. For the main ingredient we recommend mnemonics of short rhythmic phrases. Use a song you cannot get out of your head. In the book we use the public domain example of “Three blind mice, See how they run” to create TbrShtr. Putting it together, thecrimson becomes tcn@TbmShtr!q2 and TWITTER becomes twt@TbmShtr!m4 (Twitter expires every month presently at the end of April). You can write these all down using a shorthand on a simple wallet card using your own shorthand.
If you are currently using weak passwords across sites, any of these is better than your current practice.