All other things being equal, nothing is more important than length (most of the time) in a password. Also true is that there is always a need to know a few, long, strong, passwords for system accounts, drive decryption and to unlock the password manager.

"For those few system logins, I use the long, funny, sentence, method of password generation." --> "ftfsl,Iutl,f,s,mopg." for example. I'm moving over to a passphrase + yubikey method, where possible. Yes, that means that if I don't have the yu....y, then I don't get into the system. OTOH, if someone else has the yubikey, they still don't know the other half of the login, or how long it is. A 2nd yubikey, identically configured, is at the bank in a safety deposit box. There are other vendors than yubico which make these devices. SmartCARDs are another option, but don't work cross-platform without very careful effort.

Convenience is often the enemy of security. The few things I use which are actually more secure AND more convenient are not usually things used by end users. ssh and things that leverage ssh, like rsync, x2go, scp, sftp. Not used by most end users.

I disagree that there is a need to know either email or bank passwords - heck, I don't even know my login-name for my broker - it is random too. Why? Because that company limits the password field to 8 characters, but allow 35 characters for the userid, so I use both, random. Sure, the userid could be leaked, but I don't know it. Never needed to login to either my bank or broker without access to the password manager. Accessing money just doesn't require that level of access these days. My broker provided a SecureID FOB when I asked about it. No cost. Sadly, they don't mandate the use, which kinda defeats the purpose. Seems their 8 character password limit probably has something to do with allowing touch-tone phone and their back-end mainframe system access. I've worked on mainframes for a few years early in my career.

Plus, since I use a different email account (actually a different alias, not account) for almost every different business, I've stopped remembering any of those logins. Just look at my userid here. Random. Generated by a computer. I won't remember it. The same applies with most of my online accounts. Don't remember the email alias used for it either, but if/when the email spam starts coming in and 1 isn't handled by the anti-spam tool, I'll know exactly where the leak happened.

Don't get me started about the lack of security for people using most free email accounts. The rule is simple, if you aren't paying for the service, then you and your data are the product. Gmail, yahoomail, hotmail - JUST SAY NO! Plus, I don't know that I'd use gmail/twitter as the authentication for other online accounts either - privacy thing - not a security thing.

Realistically, if we are only using passwords for logins, we've already lost the security battle. Over the years, smart people have tried to come up with an alternative. Mozilla has, google has, NIST has, but the login/password seem to never die.

If it isn't obvious, I'm in the business.