The problem:

Passwords are ubiquitous today.  Everyone who spends any time online has many different passwords they need to remember.  Unfortunately the more passwords you have to remember, the more likely it is that you will forget some of them.  Some people get over this complication by using a bunch of different but simple to remember passwords, other people use a complicated password for every website.

Both of these are the wrong way to go and can expose yourself to risk online.  The simple passwords can each be individually hacked very quickly by even a slow desktop computer.  For the complicated password, it is harder to hack, but much more likely to cause more problems if you lose it some other method.

Bad:

First, your password should not be something that could be found in a dictionary (any dictionary).  The total number of words in the English language, including scientific terms, is about one million.  This means that a typical desktop computer would take about a second to run through all of the passwords, and your password could be cracked (on a website which doesn’t prevent brute force attacks) in under an hour, assuming standard load rates on the pages as the script attempts each possible password for the website.

Better:

Suppose you only use lower case letters for your password, and randomly choose the letters.  You might use a standard password of 5 letters long, in which case you’d have 265 = 11881376  possible combinations, or just over a million combinations.  Obviously one way to make this password more secure is to increase the length of the password which multiplies the number of possible passwords (and the length of time to find them) by 26 for each extra character.

Another way to increase your password security is to increase the number of characters in your password.  Just by making your password case-sensitive and adding both UPPER and lowercase letters you double the number possible of combinations the computer has to check.  Throw in some numbers and some punctuation and you end up with a super secure password like: 94Gh-  Total number of possible password combinations in this case?  About 705 = 1680700000 combinations or about 1.7 billion different combinations.  Total time for a computer to break?  Probably at least several weeks or even months, even with a fast computer (assuming that the hacker has to access the internet through an HTTP connection each time to check the password).

The advantage to this password is that it is relatively secure and not too hard to remember.  You could increase it in length to increase the complexity, each added character multiples the length of time it takes to hack your password by a factor of about 70.  So the more characters you can memorize the better.

The problem with this password is that if you use it on every website, if you lose it once (for example by a phishing scam where someone sends you an email and you click a link in the email and "log in" to a fake site) then you’ve just lost your password for every site you use!  Not good.

Solution:

The solution is, for every password you create, have a portion of it which is related to the domain (or function of the domain even) so that you can modify your standard complex password for every website, and still be able to remember all of these passwords.  So for example the password above might become 94Gh-f for Facebook, 94Gh-y for Yahoo, 94Gh-h for Hotmail, etc…  The best part here is, you can use a more complex algorithm which you can easily remember (like the second letter in the alphabet after the first letter in the domain), and create slightly different passwords which are extremely difficult for a hacker to figure out.

Update: As well, you should change your password somewhat regularly.  A teacher at my school commented that he changes his password everywhere once a year (you may wish to change it more often than this but being able to remember your password without writing it down is important so not too often).  How he does this is that he removes a character from the beginning of the password and adds a new character to the end of the password.  This way he keeps the same core password, but changes the password enough that it is difficult to crack, assuming it has been compromised on one of the sites you use it on.

Summary:

Avoid simple passwords as they can be cracked using a "brute force" attack.  More complex passwords can be created using more combinations of characters, upper and lower case, punctuation, numbers, etc… Memorize a difficult password and use it everywhere, modifying it slightly based on the url where it is being used.  For example use 94Gh-f for Facebook and 94Gh-y for Yahoo.

Update:

I strongly recommend also reading http://www.baekdal.com/articles/usability/password-security-usability/ which does a very thorough job of looking at the risks for passwords and has a different approach. Also, read this more recent article I wrote that talks about how to build easy to remember, but very secure passwords.