If you want strong, unique, easy to recall, but hard to guess passwords for every app and service without writing them down or storing them anywhere, try devising an algorithm. Here is one example:

[First four characters of the app/website name in lowercase] + [optional special characters] + [A long, hard to guess but easy to recall passphrase] + [First 3 characters of your capitalized username] + [optional suffix for type of password]

  • Using the app/website name makes it unique per app and thus solves the security risk of password reuse. If one of them gets hacked, your other accounts are still safe.
  • Optional special characters allows you to deal with stupid sites with artificial restrictions on which special characters are allowed.
  • Using characters from username allows you to have different passwords for multiple accounts on the same site.
  • Optional suffixes can be useful where the website forces you to choose two different passwords (say, read-only/read-write or login/transactional) or forces you to change the password every 15 days or other such things.
  • For the complex passphrase, you can use XKCD's approach to come up with phrases like "CowPurposefullySpinsWheels".

App / WebsiteSpecial charactersUsernamePassword TypePassword
CitibankOnly digitssecret_santaLoginciti34CowPurposefullySpinsWheelsSEC
CitibankOnly digitssecret_santaTransactionalciti34CowPurposefullySpinsWheelsSECtxnl
FacebookNot AllowedspidermanfaceCowPurposefullySpinsWheelsSPI

This is only an example. Be creative and come up with your own scheme!

There you have it! Now you only need to remember a passphrase and an algorithm. Of course, this may be useless for sites which have artificial limits on minimum/maximum length of passwords. This is mostly a case of lazy engineering so make sure to complain and let them know about it.