So now you have a great password. That doesn't matter a whole lot of you don't protect it properly.
Granted using sticky notes is a bad idea, but writing them down isn't necessarily a bad thing. The key is to make sure that the passwords are safe or non-obvious. Keeping them in a notebook in a safe is one idea. Putting them in a file cabinet is another as long as other people don't know that you're doing that.
So this puts you at some risk for the other people in your house/office, that's way better than putting them in an unprotected computer file!
A new trend is for people to put all their passwords in a spreadsheet or text file. This is convenient, but a huge risk! There are so many ways that bad guys can get a peek at the files on your computer that if one of those files is a full listing of names and passwords, then the bad guy has hit the jackpot!
I'm not actually against this in practice, but the key is to protect them (similar to having a notebook in a safe). If you make such a file, make sure it's protected by some strong form of encryption. In my case, Trucrypt.
This is also useful in case you need to send that file somewhere over the Internet or put it on a portable device of some kind. If it's encrypted then an online eavesdropper won't be able to access it and if you lose a portable device, the file will be inaccessible.
There are many password management programs out there, but I can't recommend any. That's not to say they're not great because they may be, but I've never had need to use one since I just encrypt the file itself.
Sure those managers might come with extra features like being able to recognize the site you're on and filling your password for you, but those extra features create another risk. Maybe I can trick the manager into thinking I'm on a different site or to put your password into a plain text field where I can capture it. There are lots of possibilities so I just avoid them.
If you do want to look into this, I've heard that KeePass is good (and it does not autofill your passwords which is good).
Granted this will save you about 6 to 8 seconds every time you log in, but consider the risks of using the "remember me" function on a webpage. What this does is place some identifying information on your computer that the site will use instead of a name and password.
So what happens if someone eavesdrops on the transmission of that identifier? Or if that's protected, what if you computer/cellphone is lost or stolen? Beyond that, I already talked about how there are many ways someone can get into your computer. If they browse around and find one of those files and make a copy, they can log in as you without your name and password!
This is a risk that's just not worth the benefit. On some sites you can select to remember the login name without the password which still saves time and is less of a risk, but there's really no justification for remembering the password. It's a risk with no real benefit.
If you're still not sure, just ask Michael who probably used his Mom's computer to check his Facebook when he was home on break from college:
If you enter your name and password without first making sure you have a secure connection from you to the site you're on, anyone else on your network, in your nearby area (if you using wireless), or on the Internet between you and them can see it!
Read my full HTTPS article here for a full description of what it is, why to use it, and how.
The Single Password Issue
Here's something you might not have ever thought about, but should; if someone knows your username and password, they're very likely to try it at major websites and services to see if it will work there. How to they get your username and password? You give it to them!
Every time you go to a website and it requires signup or registration, you have to give a username an e-mail address and a password. But what do you know about the people who own and operate the site? What if a disgruntled or greedy employee decides to try a little Identity Theft on the side?
You handed them your e-mail address so what happens if they were to go to that web service and enter the e-mail address and password you gave them? If you keep good passwords nothing happens, but if you're the one-password-for-everything type, you're toast.
Even if that doesn't work, does that e-mail/username and password combination work at Facebook? eBay? PayPal? They could try hundreds of the best known sites all using a simple web program. The only defense you have is to not use single passwords!
The Challenge Question Issue
Another major problem is when you are asked to fill in challenge questions. First, if you follow my Geek Privacy Principle, you would never willingly give away information that wasn't necessary. Do you really want to hand over your mother's maiden name to some random website?
Second, if you fill these in, the password reset function may be triggered by the challenge questions instead of your e-mail. That means that if I have or can guess the challenge responses, I may be able to unlock your account without having access to your e-mail account first!
Just ask President Obama who's Twitter account got taken over and used for spam just because he entered real answers to challenge questions (and go figure that someone in the world knew where he lived, what his dog's name is and so-forth)!
The simplest solution for this is to use a privacy alias. By using fake data that you can easily remember, you're not only making the data you provide worthless to the site you've given it to, but a bad guy won't be able to guess.
The only disadvantage is that you're still giving away the data for your one and only privacy profile. A way around this if you use a password file like I do is to make up challenge answers on the spot and just "write them down" in the file. That way you can remember them while eliminating the risk of that information being used against you somewhere else.