Yes, "don't outrun the bear; outrun your companion" is a fair strategy in computer security. But if you're made of particularly juicy and delicious man-meats (which would be analogous to having your name be Brian Krebs or Jennifer Lawrence or being a Google employee or having a three letter twitter handle), some bears might decide that it's worth a little extra effort to run you down instead. It's a personal decision as to how much effort you're willing to put into protecting your online identity.

I'm not so sure about "probably". I'd say it's probable that if they're restricting length then at some point they were being stupid like storing passwords in a VARCHAR(8), but lots of times those restrictions get kept for backwards compatibility even after they've upgraded how they're storing passwords. The best canary in the coalmine is whether they'll email or display your old password as part of the password reset process.

That's a tough battle to fight. Users, when faced with making a decision between fulfilling their immediate digital urge and being safe, will choose to fulfill their digital urge 99% of the time. If "being safe" was an option presented via dialogue box, 99% of the 1% that initially chose to be safe will repeat the action so they can make the digital urge fulfillment choice instead.

So the bad guy just got the password database from hacking slashdot and sees your password is sahcorrecthorsebatterystaple. The bad guy pulls up another password leak from hellokittyislandadventure.com, and sees an account with the same email address uses the password hlocorrecthorsebatterystaple as a password. It's entirely possible they'll figure it out given enough data points. You're right that it's an edge case, since nowadays the bad guys aren't doing much of that since there are so many users using "letmein" and "Password1", so you have to make a decision. Given the number of places you're reusing your password strategy, your knowledge (or lack thereof) of trends in identity theft via password leaks, and the value you place in your online identity, is it worth using password management software instead of memorizing a password algorithm?

In favor of password managers, when banks do stupid stuff like that you can use the software to make truly random passwords that follow those requirements. No need to modify your algorithm to fit within stupid restrictions.

Well, no. That's an entirely different type of attack, requiring entirely different skills and resources. Script kiddies are perfectly able to download a bunch of leaked databases, look for username or email address matches between them, read the passwords in plaintext, guess that you're using the site name or url to modify your passwords, and then try your username and password on amazon or banking or webmail sites. They're not going to be able to say "Man, look at that guy's password! I should hack a trojan onto his computer by backtracing his IP address using a Visual Basic GUI!"

Also of note, KeePass has defenses against keyloggers.

No, when you're traveling you use the mobile app to access your password database, read it off your phone, and then you type it into the infected computer. No need to be stupid about it.

Every everything is vulnerable. You have to make choices to minimize your vulnerability given the current risk environment. You're millions of times more likely to have your password leaked because it was stored in an insecure manner on a vulnerable server than to be subjected to a crowbar hack, so you should prioritize your defense accordingly.

Treating numerous accounts as "low security" and reusing your passwords across them is still dangerous, in my opinion, but it's up to you whether the effort of storing those extra passwords in your password management program is worth the added security. Information gleaned from multiple "low security" accounts could potentially be combined to get access to your high security accounts. And once you get password management software set up, I've found it's much easier than remembering and typing, even for the accounts I don't care about. Autofill is glorious, and I really love never having to play the game of "have I already registered for this site?"

Exactly the opposite: "Encryption works" was one of the key points made by Edward Snowden. The NSA found it much easier to just bypass encryption. There are some instances where we suspect the NSA has had a hand weakening or backdooring some algorithms (like recommending odd seed values for elliptic curve cryptography) but nothing definitive.

Diceware is a great recommendation, but you're missing one key consideration: password reuse is a larger danger to users than is having a weak password. The Apple iCloud hack is one of the few in recent memory where a password-related breach wasn't tied to password reuse. What happens most of the time is that a site is vulnerable to SQL injection gets their users table stolen, and "bad guys" use that information to try accounts on related sites. If the compromised website was using a bad (i.e. fast) password hashing algorithm, then having a good password will protect you a little, but you're playing with fire. Password cracking techniques have been advancing exponentially, as has GPU power. But if this site is using reversible encryption or storing passwords in plaintext (which still happens with alarming frequency) then all your other accounts are at risk from the one breach regardless of how great your password is. Of course, if they're using a good password algorithm like PBKDF2 or bcrypt, even a mediocre password will be relatively safe. But what are the chances that every site you've registered with is using a good password algorithm? Probably zero. How can you check the password storing technique of a site you're about to register with? You can't.

Yeah, you could make an algorithm to modify your password across sites so that you can memorize it yet it'll be different, but as "bad guys" combine information from multiple leaks, any algorithm you come up with will be vulnerable to reverse engineering. Especially if your online identity is valuable. The real solution is to use password management software like KeePass, LastPass, or 1Password. Lock your password program with your good password from Diceware, and use unique, truly random passwords for all the websites you've registered on.

If your requirement for caring about emerging technology is that it has already achieved commercial success, you're going to have a very short list.

Diceware is a great recommendation, but you're missing one key consideration: password reuse is a larger danger to users than is having a weak password. The Apple iCloud hack is one of the few in recent memory where a password-related breach wasn't tied to password reuse. What happens most of the time is that a site is vulnerable to SQL injection gets their users table stolen, and "bad guys" use that information to try accounts on related sites. If the compromised website was using a bad (i.e. fast) password hashing algorithm, then having a good password will protect you a little, but you're playing with fire. Password cracking techniques have been advancing exponentially, as has GPU power. But if this site is using reversible encryption or storing passwords in plaintext (which still happens with alarming frequency) then all your other accounts are at risk from the one breach regardless of how great your password is. Of course, if they're using a good password algorithm like PBKDF2 or bcrypt, even a mediocre password will be relatively safe. But what are the chances that every site you've registered with is using a good password algorithm? Probably zero. How can you check the password storing technique of a site you're about to register with? You can't.

Yeah, you could make an algorithm to modify your password across sites so that you can memorize it yet it'll be different, but as "bad guys" combine information from multiple leaks, any algorithm you come up with will be vulnerable to reverse engineering. Especially if your online identity is valuable. The real solution is to use password management software like KeePass, LastPass, or 1Password. Lock your password program with your good password from Diceware, and use unique, truly random passwords for all the websites you've registered on.

A pilot can not be left alone in cockpit with a terrorist because the terrorist will kill the pilot. A flight attendant can not be left alone in cockpit with a pilot because the pilot will fuck the flight attendant. A terrorist can not be left alone in cockpit with a flight attendant because the flight attendant will have the terrorist to return to his seat.