Ever since that last massive security breach at Yahoo, besides no longer using Yahoo for e-mail, I have abandoned an unwise and not-very-secure password habit practiced since my youth: I used to cycle between the same few words, if sometimes with numbers or a changed case. Not that I seriously believe using more secure passwords and/or changing passwords would prevent my accounts from getting hacked. I just know I should nevertheless be doing it. (I've got a pretty inexhaustible source for generating passwords: titles and proper nouns from books.)

But should I bother doing it for accounts on sites where I don't make any financial transactions and don't discuss personal information? This site, for instance. Why would hackers want to steal information from my LQ account; and if they did anyway, should I particularly care? If I'm being naive, go ahead and tell me.

They would be looking for your email address, as that is what spammers use to send out their crap to people.
It can make life difficult for you as the official owner of that address, & can get you banned from others sites.
Wise to at least have different passwords on each & every site that you use.

Yes. You have personal information (such as your real name) on the "fun" sites. And the first thing a hacker will do after guessing your password for a "fun" site is to try logging in to zillions of other sites with the same username and password.

Use a password manager.

Well maybe one day we will have a way to employ retina scans on websites and you won't have to bother but until then.....

Good idea...

Is there a security reason I shouldn't manually keep a file of my passwords, if it works for me? I know perfectly well what a password manager is, and used to use one; but it was made a nuisance by a a university e-mail system that went through more than one password check. After routine password changes, the password manager didn't understand that the change applied to both checks, leading to constant password mistakes. I got annoyed enough that I abandoned the password manager, and have ever since been consulting my manually maintained password file.

Both OS/X and KDE/Gnome provide some kind of a "secure note" facility and that's what I use. Not just for passwords but for all sorts of things.

Being a lazy sot, I generally use the same password on web-sites but of course it isn't the same as any login password that I use. All of those are "all different," and they're nonsense words. (trypt0phane ... that would have been a good one.) Nevertheless, I do keep secure notes about them.

(But you can't use my login-passwords anyway, unless you've got my one-of-a-kind OpenVPN certificate, which is encrypted with a passphrase and which will have been revoked long before you get a chance to use your stolen prize. In fact, you can't even find my servers' secret doors: to any scanner, "there's nothing there at all." As I discuss in my blog here.) Not a single one of my servers exposes anything, including ssh, directly to the world-at-large. I don't worry about "unauthorized access attempts" because I never get any.

If you need to deploy a web-site where you can't use OpenVPN to secure the administrative portal, mod_ssl (or its "nginix" equivalent) is your best friend, because "it cuts both ways" if you want it to. It can secure a web-site such that only the bearer of a properly-signed TLS certificate can access it or some designated portion of it. (Not quite as sophisticated because I don't recall that it supports revocation, but I could well be wrong on that.) Access is not available merely due to knowledge of a secret (password), but requires that you bear a credential.

The possibility of having anyone else ever use or service the same PC, or having anyone else in the room when you have that file open, would both be "security reasons".

At least replace the "file" with KeePass or KeePassX.

Never allow utility companies to demand passwords over the telephone.
There is no reason for them to do this - they called you but you
dont know who is really on the other end.
Thats a real bad habit to get into allowing.
And dont be fooled by "just the first and third letter" scam.
Scammers will come back months later to get the rest and I guarantee
you didnt change it (and probably use the same one elsewhere)
There is no security on a phone line at all.

Ask for the person's name AND the item / case / ticket reference and then call back on a "known good" number.

Think about which web sites you use the same passwords on - are they really long term
genuine looking sites or just clones or simple sites designed to gather passwords?
(SSL doesnt protect you)

SSL certificates are themselves untrustworthy.
Think who issues them
Now think who might want to put encrypted stuff on servers the server admin cant read
And now think what is to stop them (line above) doing this apparently legitimately

I use a different long complex password for every site and encrypt the files, but I never use a password manager or have my browser remember passwords.

Your mothers maiden name is something you should closely guard IMO.

I use KeepassX for a password vault. It runs on Windows, Mac, and Linux, and the database is portable.

I find it far superior to password vaults that are tied to particular desktop environments, like those keyring thingees, or dependent of the innerwebs.

No. never use passwords on the telephone.

the persons name means nothing at all. a "case/ticket" number means nothing to you.
it is not your responsibility to pay for and call them back.

If they want to verify THEY have called the right number they should ask for something
off your WRITTEN bill or statement that changes every time you get one. This is for THEM
not you. You should ask THEM for information only they should have not the other way around.

If they don't provide written bills or statements you shouldnt be doing business with them anyway.

the biggest threat to your privacy and security isn't the criminals - its government legislation
that has forced you to spread vast quantities of personal information across the planet
to whoever demands it.

Wake up.
Demand they stop asking for more than is required to get the job done and that it never
be used for any other purpose whatsoever. Selling it on should be a criminal offence.