In light of the Heartbleed incident, I present to you an in-depth password guide.

Passwords suck. Having to memorize them sucks. But did you know that weak passwords is #1 reason why people’s accounts get hacked?
We're told to use strong passwords and never re-use the same one on every site. It’s good advice, but it rarely tells you HOW to do this without driving yourself crazy.
You can, however, still achieve rock-solid security with a smart password strategy.

Before I begin… Some CRITICALLY IMPORTANT Points:

• Your email password is the most important, by far. The keys to the kingdom. Someone who breaks into your email can get into ALL of your online accounts via the Forgot Password function every website now has.
  If your email password is weak and easy to guess, CHANGE IT IMMEDIATELY. Of all the passwords you could cut corners on, email is NOT the one to do it on.
  Multi-factor authentication can strengthen security further (Outlook, Gmail and Yahoo have this) - it makes login require a code delivered to your mobile device so a hacker can't access your account even if they figure out your password.

• “Security” Questions on sites tend to be extraordinarily stupid and are an easy way for a hacker to break into your account by doing a little research on you, without even needing to know your password.
  I’d advise to not answer them for real and instead, just make up something nonsensical and random. Go back and change yours if they’re easy to guess (especially for email).
  Write them down and store them somewhere secure, like in the notes section of a password manager program.

HOW PASSWORDS TYPICALLY GET CRACKED

Brute Force: The least efficient method. A computer with a powerful GPU crunches billions/trillions of password guesses per second until it lands on yours. This could take 1 second or trillions of years depending on your password’s strength.
Dictionary attack: A more intelligent brute force attack. It tries to guess your password by using common words, names and phrases. Uses human predictability to its advantage. Some are VERY good and clever at guessing.
Keylogger: A computer you login to is infected with malware and the hacker learns your password by monitoring your keystrokes. Make sure you only input your passwords on computers/devices that you KNOW are 100% clean.

Important note: Remember that there is no way for an attacker to correctly guess part of your password and only have to figure out what the remainder is. Guessing either gets it completely right or it doesn’t, even if it’s 500 billion guesses per second.
The key strategy is to make the potential number of passwords you have so [i]mathematically immense[/i] that cracking your password through sheer guessing is practically impossible.

MEMORIZE A FORMULA, NOT INDIVIDUAL PASSWORDS

Even if you use a password manager program, I would still advise using this strategy for passwords that you have to input often and/or absolutely need to memorize (like email).
It involves choosing a strong “core” password plus a predictable variable, sort of like how salting a hash works.
Here are some solid strategies for picking a core to your password. Note that these can be combined in some ways.

Schneier’s method
Compose a memorable sentence, take the first letter of each word and string ‘em together. (don’t use a known sentence like a famous quote, poem, song lyrics, etc)

Example:
Take the sentence, “Gee whiz, this big 200 pound dragon sure is a sexy beast!” and hammer it down into a core: Gw,tb200pdsiasb!
Next, add a variable. Site names are the easiest (and most obvious…) so add a twist to thwart crackers who try the site name in a dictionary attack.

In these examples I removed all vowels from the website names:
FurAffinity password: Gw,tb200pdsiasb!Frffnty
Weasyl password: Gw,tb200pdsiasb!1Wsyl
DeviantArt password: Gw,tb200pdsiasb!Dvntrt

XKCD’S Method
The now-famous comic: http://xkcd.com/936/
It’s good, but I’d take it a step further and widen the potential keyspace by adding at least one capital, number and symbol.
ALSO, make sure you use truly RANDOM words; not a sensible phrase or famous quote that could be in a dictionary attack. (many people miss that very important point about XKCD’s comic)
This generator does all of that for you: http://correcthorsebatterystaple.net/
Note: Don’t forget to make unique passwords by salting the core password with a variable!

Examples:
FurAffinity password: correcthorsebatterystaple+1Frffnty
Weasyl password: correcthorsebatterystaple+1Wsyl
Inkbunny password: correcthorsebatterystaple+1Nkbnny

Gibson's Method

Pad your password with repeating characters to increase its length. You only have to remember how many there are and what kind.
You can apply this trick to either methods above, or choose a simple, short core and pad it with lots of symbols.

Example:
Drgn1#@#@#@#@FA = Strong, complex, 15-character password.

Potential problems with these strategies:

• Password rules on some websites will be a pain in the ass. You can’t use correcthorsebatterystaple on a 15 character limited site. Some sites forbid using symbols.
  It can be a hard to keep track of which sites are the exceptions, and how. [i]You should come up with an alternate formula to use on the websites with crappy security policies.[/i]
  Typically these are sites that limit you to 10 or fewer characters and no symbols, so keep that in mind when coming up with an alternate password.

• If a clever hacker somehow obtained your password in plaintext he might be able to figure out your formula and break into your other accounts.
  I think they’d have to be specifically targeting you and not just going after the easiest victims in a database breach, though. Not sure if this is a realistic risk, but it is theoretically possible.
  It would buy you some extra time, but you’d still want to change a LOT of your passwords, and that could take an entire day’s worth of work.

• XKCD’s method is arguably more vulnerable to dictionary attacks, though that likelihood diminishes as password length goes up.

USE A PASSWORD MANAGER
Password managers are programs where you can securely store your passwords in an encrypted database, protected by a “master” password. (treat this with similar reverence as your email password)
Currently I’m using KeePass (free). Mac OS X version is MacPass. Others include LastPass and 1Password.

You can also sync most managers with a companion mobile app version on your phone, and set it to delete the password database after too many failed access attempts (in case your phone ever gets lost or stolen).

Scrambled Passwords
Password Managers can generate long passwords that consist of random characters, plus you can set them to comply with varying website requirements and length limitations.
Dictionary attacks against these passwords will fail spectacularly. Brute force attacks are practically impossible. Imagine how long it would take for a computer to guess a password like this: kV}5L(Nnf#DVp>v-Ifm|
I switched to using randomly generated passwords over relying on a formula due to the annoyingly variable requirements on websites, and so I would have only one password to change in the event of a massive database breach.
Even though I can’t memorize them, I can always copy them from my phone’s password manager app if I’m on the go. It feels like a keychain when you get used to it.

Potential problems with this strategy:

• What if you forget your master password? D’oh! Just make sure it’s something you’ll never forget. Write it down somewhere safe and secure. Never randomize your email password.

• If someone breaks into your manager, they’ve got all your passwords. This could happen if you get infected with a keylogger and use a cloud-based manager. This is why I use KeePass. Local files only.
  :linkducky: suggested a neat trick where you secretly add one character to every stored password, so if someone broke into your database, none of the passwords would work for the attacker.

• Not having your password manager handy when you need it. Ah, but if this unlikely situation were to arise, I’d reset it via my email account whose password I have memorized.

OTHER NOTES

Dictionary words
Avoid words that might be found in the dictionary or on the internet. Celebrity names, movies, music, famous quotes, song lyrics etc.
Good password crackers will test these. Using multiple words makes it exponentially more difficult to crack (see XKCD method)

Easy words that people who know you can guess
Family names, pet names, birthdays, favorite movies…
If you post pictures of your cat Fluffy on Facebook, don’t use Fluffy anywhere in your password. Just saying…

Sufficient complexity first, then length
It isn't necessary to make your password horribly complex h4Cke® 5p33k.
Simply have at least one of each type of character in your password: Capital, lowercase, number, symbol. After that, length is much more important.
This increases the potential keyspace a computer would have to search through to find your password.
For example, if your password consisted of only lowercase letters, it would mean the guessing attacker would only need to consider lowercase letter combinations.
But add even one capital letter and suddenly, any one of the letters in your password could be a capital. Or lowercase. The attacker doesn't know.
You might use symbols to break up common words that are found in the dictionary, but some really good password crackers are onto this trick, so watch out for that.

Password testing tools:
I'd encourage everyone to play around with these tools. It gives you a better idea of how the mathematics work.
Seems kinda crazy how adding one character to a password can change the cracking time from 2 years to 2,000 years, but that's exponents for you!
http://password-checker.online-domain-tools.com/
https://www.grc.com/haystack.htm
http://howsecureismypassword.net/

… And that’s about it. Any questions, I will gladly answer in the comments.
Stay safe; stay secure! <3