When I was doing research for my book Authentication a few years back, I came to realize just how crazy password management has become. The rule comes down to this:
The password must be impossible to remember and never written down.
This is, of course, ridiculous. The ideal password has to be both memorable and hard to guess. Ideally, a password should be hard to crack, which means that it even takes a computer a really long time to guess it.
I wrote up some comments about this in a part of my web site called The Center for Password Sanity.
Note that some of this material may be reproduced under a Creative Commons license, while the copyright for some material is held by Addison-Wesley, the publisher of Authentication.