Anything from Star Wars, Star Trek, Die Hard, or Jerry Maguire is off the list. Don't even think of going near The Princess Bride or the 1980s G.I. Joe TV show. Best to stick with something obscure--perhaps some Ukrainian post-expressionist new-age stop-motion noir. In the original Ukrainian--definitely not the Russian translation, and you know why.
Then try to type it into your iPhone without a mistake within three tries before you lock yourself out of your account or, worse, erase the whole phone.
And, never forget that every time that you use the same password for two different sites, services, or computers, a kitten dies.
One password to rule them all?
Sure, you can always follow the recommendations that we here at Macworld have been harping on for years. Start by using a password manager like 1Password or LastPass that generate long random passwords for you, and protect them all behind one main, strong password. They work great; and once I bought 1Password, I stopped worrying about all those websites that I used Muppet83! for (I miss that dog).
Except for iTunes, of course. Apple requires you enter your password every time you buy anything, and sometimes prompts you for it seemingly at random, just to make sure you're paying enough attention. Or iCloud, which seemingly requires you reenter the password on every device, for every service, every time you're foolish enough to make the smallest alteration in your iMessage settings. On iOS you can't always jump away from the password prompt for system-level items, making it difficult to grab the correct entry from your password-management app and paste it in.
As for your even slightly less technical friends and family, good luck teaching them how to use a password manager and synchronize it reliably over multiple devices. Think about all the times when your password manager stored your full name as the username, or couldn't paste the password into the nice HTML slide-down login field, or couldn't associate a generated password with the proper login page. A mere annoyance for a technically proficient user is a game-ender for an average person who just wants to log in to a vegan cake-decorating forum safely.
At this point, don't even think about mentioning the Keychain Access Utility.
We've published entire features dedicated to passwords, containing reams of advice that unnamed technophobes and tech tyros in your family will never reasonably follow, because the advice itself is completely unreasonable. We layer hacks upon hacks as best we can to stabilize a foundation incapable of supporting a house of cards.
The devil we know
So what are our alternatives? Dropbox, Google, and others now offer options to send one-time passwords as text messages to your phone, which you then combine with your main password. This two-factor authentication is, again, great for the technically proficient and for sites that we deem important, but can you image trying to force the method down the throats of millions of users--a large percentage of whom are on AT&T, which loves to play "guess when the text will arrive"?
Sign up for CIO Asia eNewsletters.