- lame passwords for sites I don't care about (e.g., 'insecure')
- the same password for sites with semi-sensitive information (e.g., facebook)
- unique passwords for bank accounts, servers, etc.
So I try to strike a balance between difficulty in remembering & security.
The thing that's bitten me on the ass a few times with that strategy is failing to upgrade sites from "I don't care about" status.
I'll use the 'insecure' password to drop a comment on an interesting discussion on a site I've just found - like, say HackerNews or Twitter, then two years later I'm still participating in the community there, and it _could_ have still had the password I used that time to comment on a ValleyWag story. All of a sudden I _do_ care a bit about any reputation I might have. I was fortunate this time not to have any sites I cared about still using the same old password Gawker leaked (mainly 'cause I'd learned that lesson when my twitterstream started spamming acai berry sites when PerlMonks exposed my low-grade password back then.)
I think Schenier's right - the world isn't a place where "remembering passwords" works any more. We need too many of them and we don't have enough control over how other people store them.
A password safe with a strong passphrase backed up by somethig like dropbox or zumodrive is probably a minimum sensible approach now. Some care is needed with the devices you access that password safe on, and awareness of how software like browsers or your OS caches and stores any passwords it sees you use. Even with a properly secured password safe, a fair number of my logins are probably hosed if I lose my laptop... Firefox, Chrome Safari, Mail.app, Twitter clients, IM clients, IRC programs, FTP programs - all of them store credentials for me, _mostly_ in Mac OS X's keychain, but not in a "reliable enough way" to be considered "secure" if the physical hardware is in someone else's possession.
