(WARNING: Geek Alert)
According to a Microsoft security expert, we've been going at the issue of password security wrong for 20 years. Start writing the blasted things down.
(Of course, it isn't that simple; go read the article.)
Thank God someone beside me has finally taken up this crusade. As a network administrator, some days I spend half my time resetting passwords for people who can't remember them. I used to get really annoyed, until it got to the point where I couldn't remember all of mine. The last time I counted, 4 years ago, I had over 200 passwords and PINs I had to keep up with. Of course, some of these were for my personal use, but still--no mortal can be expected to keep up with that many. (Have I told you the story about using my ATM PIN to disarm the alarm on a building? That worked well....)
I was eventually shown the light by some evil Big Oil company guys at at training class we were all taking. All my passwords now reside in encrypted form on a PDA. I have one password that lets me get to all the rest, and I'm the only one who knows it.
So, my end user friends, start putting all your eggs in one basket and Guard That Basket. Microsoft says that it's OK.