I've got some hundreds of passwords total, mostly in http://keepass.info/ after going into File, Database Settings, Security, hitting the "1 second delay" option under "Number of key transformation rounds", and then multiplying that by a small number so it takes 2-12 seconds to process the password each time (more if using KeePassDroid[/url] or other mobile device ports), which adds quite a few bits of security. 40 million rounds is about 12 and a half bits more security than the default 6 thousand round, for example.
Most of these are passwords with over 128 bits of entropy - 100% random passwords of length 20 to length 128 with as large a character set as the application allows. While it's probably overkill at length 128, since:
01110101000010011000111101001110110110000010101111011000000111101101001111001100001010110111110011101001111110100101110110100101
is a 128 bit password, and thus is more or less equivalent to 128 bit symmetric ciphers in terms of security, but if you use LastPass or KeePass or any other tool, creating a password generation profile or five is trivial. Any cryptographically random password with a keyspace of 2^128 (3.4E38) or greater is going to meet current security standards about as long as 128 bit symmetric encryption does.
That's a cryptographically random
128 character binary password
39 character numeric only password
28 character all lower case password
25 character lower + numeric password
23 character lower case + upper case
22 character lower + upper + numeric password
21 character lower + upper + numeric + symbols over numeric password
20 character lower + upper + numeric + 32 symbols password
18 character lower + upper + numeric + 32 symbols + 81 high ASCII character password
Biometrics are interesting, but what do you do after someone steals them? Get new fingerprints/retinas? Passwords, at least, you can change.
RSA and other TOTP tokens are a good idea, but they can be compromised at the root[/url], so the onus is still on users to have solid passwords.
The only answer I have right now is a password manager with a truly strong cryptographically random password (just start using it regularly; your fingers will remember after a few painful weeks).
Be aware, if you ever type that password manager password in to some other site, then anyone who's ever taken a copy of it and gets that password can open it up.
Note also that pieces of paper in your wallet/purse aren't that bad an idea - paper out of the open isn't subject to bulk collection/data breaches, and most of us are reasonably good at protecting our wallets/purses most of the time, assuming low level adversaries.
P.S. If you want a less secure but still reasonable 96 bit (7.9E28) password:
That's a cryptographically random
96 character binary password
29 character numeric only password
21 character all lower case password
19 character lower + numeric password
17 character lower case + upper case
17 character lower + upper + numeric password
16 character lower + upper + numeric + symbols over numeric password
15 character lower + upper + numeric + 32 symbols password
13 character lower + upper + numeric + 32 symbols + 81 high ASCII character password
P.P.S. If you want a borderline/not strong 80 bit (1.2E24) password:
That's a cryptographically random
80 character binary password
25 character numeric only password
17 character all lower case password
16 character lower + numeric password
14 character lower case + upper case
14 character lower + upper + numeric password
13 character lower + upper + numeric + symbols over numeric password
13 character lower + upper + numeric + 32 symbols password
11 character lower + upper + numeric + 32 symbols + 81 high ASCII character password