If you're having to write down passwords or leave yourself clues then your passwords are too complicated, so much so that they're less secure than simpler passwords that can actually be remembered. Additionally, in the event that recording passwords somewhere is necessary (e.g. twenty various online accounts, each with a different passwords), the proper thing to be using is an encrypted password manage such as Password Safe.
This would be good advice if trying to defend against an offline brute force attack, although ultimately such an attack will break just about any password as programs such as can try passwords anywhere from 300-500,000+ a second, depending on the program being attacked, and moreover can pick up passwords by scanning the hard drive (passwords end up being stored all over the drive due to paging, caches, etc). An article on such offline attacks can be read [url=http://www.wired.com/politics/security/commentary/securitymatters/2007/01/72458]here.
However, this is all with regards to offline attacks; online attacks is an entirely different matter. Simply the speed limitation (even with a script running 24/7) on trying to brute-force online passwords makes trying to guess any password that takes over 1000 guesses simply not a realistic scenario. There are over 500,000 words in the English dictionary. Going with two words increases that keyspace to 250 billion. Throw in capitalization, spaces, prefixes or suffixes, etc, and your dealing with such a large keyspace that an online brute-force attack is simply laughable. Add good security practices on the part of the company running the service (such as locking out attempts for an hour after 5 wrong guesses) and the password isn't going to be brute-forced either of our lifetimes. And remember that this is still only using a weak password consisting of a root of 1-2 dictionary words plus a prefix or suffix. Expanding the keyspace further isn't going to provide any additional meaningful security, but rather is only likely to decrease security by causing people to do stupid things as they try to remember and easily use passwords that are increasingly difficult to remember.
Fully agree with this.
Your ability to remember random passwords well is the exception, not the rule, when it comes to computer users. A very large section of of the computer-using public will have a hard time even remembering the url for Hotmail; tell them to use random alphanumeric passwords (and to change them often on top of that) and you'll have sticky-notes containing those passwords on monitors in no time at all. As for never having any of your passwords compromised, let me just say this- my mother has been using the same easy-to-guess password for the past decade, and I'm pretty sure there have been long periods where it's also been on a sticky-note on her monitor; despite these horrendous security practices she's never had any of her accounts compromised either. All your experience and hers says is that generally all of our online accounts, taken individually, are very low-value targets; it says little about the merits of the security being used.
To finish up, let me emphasize that all security measures are a trade-off between security and usability. There will come a point with any security measure where increasing security further will see drastic diminishing returns while usability drops sharply. These points most commonly occur where the security measure you're trying to improve is no longer the weakest link in the security system, and thus improving it further does little to improve overall security, while only hurting usability. Once you go past the basic password guidelines I outlined in my previous post the password is no longer going to be the weakest link in the security system; having your password recorded in plain-text, keyloggers, phishing attacks, MITM or passive listening attacks on unencrypted login connections, or the company running the service having shitty security practices (such as storing passwords lists in plain-text or those moronic "secret questions") are all going to be far greater security threats than someone brute-forcing your password. So trying to make your password even more unguessable is simply not going to increase your account security by any meaningful amount.

Have you been reading my computer security textbook?
I do agree though, the biggest threat to computer & data security is not and never has been machines, it's the user. The name of your significant other, favourite band or something similarly memorable run through a 1337speak filter and memorised is as strong a password as any you'll get without heavy encryption and if you're able to use 3 or more character sets then you're more trouble than you're worth for a dictionary based attack.
For years I've been basically using 2 passwords, one has been binary and the other has been the first part of my Operation Flashpoint CD key (When modding I used to break and reinstall it so often that I still have the key memorised 8 years later), not once have I had a security issue. Basically the non-business end user is way too much trouble for way too little return to be worth hacking

Heh, security is a bit of a hobby of mine, and I regularly read Bruce Schneier's blog and the various articles and papers he links to.

Seriously? I forget about one password a week. Infact i had to reset one of my gmail account passwords today. (one of my backup accounts that is usually forwarded to my main account).
If it's a password i use every day then, of course, I remember it. I still remember the password from my uni account, and that was 10 years ago... but i used it 5 times a day.
But most sites passwords are used once every 6 months, or less. So i never have a chance to learn them. It's why i hate that all online stores insist you become a member - instead of just "pay and go".
I've had to reset my bank accounts at least a dozen times. Problem is that most of them are set up to run automatically, so i rarely log in. But i have several bank accounts, and each one has a different password, pin number, "memorable" date, security question, etc...
How the hell are you supposed to remember which one you used on the bank account that you set up last year? So it gets locked every time you try to access it. So it gets reset every time you access it. So you never remember it.
Writing them down and keeping them in a secure place seems the best bet. at least then you KNOW if they are compromised. And frankly the odds of someone breaking into your house and stealing your passwords is probably a lot lower than something dodgy happening online.

Seriously. Even with being on a hell of a lot of differing medications this last two years.
I sign up to about 3 new forums a month :
I don't write down passwords;
I don't use password managers in browsers;
I don't use the same password on two or more sites;
I don't use favourite pet's name, first girlfriend.; first school; mother's maiden name or anything else of a personally identifying nature as either password or security question.
When creating a new password, I log-out and log-in a few times...it helps the memory process. For the first week or so, I sign in every day. Once I get comfortable with remembering it, then I can usually remember it years later.
Hell, I can even remember the very first telephone number our family had, even after the area code changes some years back. I can remember the name of every teacher I've had in schools from nursery (American : Kindergarten) up. And my memory is far from eidetic, especially these days :(
The point is : The more effort you put into using your memory/brain, the more use you can get out of it :P
The little train that could!! Do, or do not. There is no "try".

Three new forums each month?
*glub glub* that's your life slowly going down the drain...

I once met my 4th grade teacher and had no memory of her, I'm 16 years old :P I don't use hotmail though

Fair enough bro.
Hope you get well. :)

i use two passwords and their variations for all the crap out there
gog
forums
steam
email
youtube
porn
etc.
if it gets stolen it might be a pain in the ass to get it back but it is not that important.
bank accounts, phone services etc. have own unique passwords. that is important so security must be tight.

Very interesting, but do not forget that we all don't have the same memory, or at least the same ways to memorize things.
While I agree that you can actually 'learn' to memorize, with exercices or else, I know for sure that my memory is purely visual (don't know if it's the right term in english).
If I choose a different password for each site, I'm sure I will never be able to remember them.

the other problem, of course, is being auto logged in. For example, I never enter my GOG password because i'm always logged in automatically.
But if i get logged out somehow, i doubt i'll remember it, as i've only used it once or twice. So, automated email password reset it is. again.
It sounds like this attack might be down to keyloggers, but i don't know the best way to find out about them. I do slightly worry that, while i'm pretty on the ball when it comes to fishing, I've got loads of extensions, widgets, etc.. that could be doing almost anything in the background.

Wait a second. Why would I want to change my pass if it was just a mass phishing scam? It's not like the Hotmail servers themselves were hacked, right?

Passwords are for chumps. Real men use public key authentication.

My password is the same for everything, like GOG, Steam, Impulse, Last.fm, Twitter, what have you, but my email passwords for Hotmail and Gmail and AOL (yes, really) are different. I'm the least secure person out there, short of the guy who puts a Post-It on their computer with their passwords on it (do those people really exist?).