I use a password manager.
I have a different password for every site.
My passwords are as long and as random as they can be.
I’m extra wary about online banking setup due to the impact of any breach.
I was setting up a new account with a well known high street bank last night and was amazed that:
The password can only be a maximum of 12 characters.
The password can only contain alphanumeric characters – no punctuation allowed.
There is a secondary question (and two questions for password resets) – these questions are pre-defined and there is no option to choose your own question. (Is my mothers maiden name or my first employer really a secret?)
Don’t answer the questions that are being asked. Store (in the password manager) a long random password that DOES include all available characters against the questions being asked.
Another pet peeve – don’t ask me to provide a subset of characters from my password unless you can explain to me how you can resolve this by only storing a salted hash of my password rather than storing it in plain text.