Your password (probably) stinks.
I have bad news. I hope you don’t take this personally. Your password (probably) stinks.
Let’s face it, passwords are a major pain to keep track of. Every website that you visit will ask you to create a new user id and password. It quickly becomes overwhelming.
For simplicity, I'm going to use the pronoun "we", since I am just as guilty as you are.
The most common crutch that we use is "reuse", i.e. we use the same password. Again. And again. Rinse, lather, repeat. The problem with this approach is that once that password becomes compromised, the bad guys may have access to your bank accounts, your investment accounts, your online shopping accounts, and the list goes on. Anywhere that you have used the same combination of user id and password, you are vulnerable. Assume for sake of argument that you have a Yahoo! email account that was compromised. (Oh wait, that actually happened.) If one website is hacked the hackers now have a combination of user id and password that they can, with minimal effort, try to use on an infinite number of websites.
There are other crutches that we use: we write down our passwords (don’t do this!), we use short passwords (it turns out that the longer the password the better; an 8 character password is significantly better than a 5 character password, and a 16 character password is really good), and we use words that you can find in the dictionary (definitely don’t do this). Jimmy Kimmell once did a skit to expose how many people use personal information in their passwords (stop doing this). The list could go on and on.
I am speaking from personal experience. Full mea culpa: I used the exact same user id and password for years. I used it on name-brand websites such as Yahoo! Mail. I used it on fly-by-night websites where I thought to myself “this website probably won’t be here a year from now”. I used it for eCommerce transactions on websites that I assumed I would only visit once in my lifetime. Eventually, this behavior came back to haunt me. Someone figured out my password, used the credentials on an eCommerce site, and ordered themselves a laptop. I had forgotten that I even had a login to this particular website, so you can imagine my surprise when I received an order confirmation email for a new laptop. When I went to go and reset my password, the website actually sent me an email with my “old” password, which of course revealed my old tried, true, and very familiar password. Since the perpetrator shipped the laptop to their house, I had their home address for the police report, and I sent them an additional gift. (Ok, that was not my proudest moment). It took me years to slowly find and fix all of those passwords (I never ignored another "we are updating our terms of service" email ever again).
There is a better mousetrap. There is a relatively simple way to overcome your stinky password habit, which is to use a password management system.
There are 2 primary functions that these services provide: first, they are a master repository of your passwords, and second, they allow you to generate long and completely random passwords.
I have used LastPass for several years (ever since the hacking mentioned above). There are a number of other well-regarded services such as 1Password, Dashlane, RoboForm, and others. The great news is that these tools can also work seamlessly with your phone (which eliminates the temptation to create short passwords that are easy to use on your phone.) Whichever solution you use, there is one catch: you have to actually use it! I still find myself wanting to fall back on a familiar and comfortable password when I know that I should create a randomly generated long password. I really only remember two passwords at this point: the password to log in to my computer, and the master password for my password management tool.
There is one last suggestion for managing your passwords. For the passwords that you must remember, use a long passphrase, that only you know, that you can remember, and that you can abbreviate into a password. For example, you can start with a quote such as “If not us, who? If not now, when?” You might turn that into “IF<>uwIF<>Nw123”. The key is to make it personal, something that you will remember, but is absolutely impossible to guess.
There is no other way to explain it, you simply need to do a better job of creating and managing your passwords. We often use shortcuts of various forms to help manage our passwords, to our own detriment and peril. Know that there is a better way. A password manager can help.