Are complex passwords the answer to security?

In a world of cyber breaches, identity theft and logins to dozens of websites and systems; we know to create a different user-name / password combination for each site and system - but how can we possibly remember each credential combination for each site?

NIST (US National Institute of Standards and Technology) recently updated guidelines for keeping government information systems secure, making some significant changes to long-standing password best practices.

Modern web-browsers assist in our effort to create unique credentials for each web site by creating a ridiculously obscure password with an impossible to remember combination of letters, numbers and symbols.

The NIST guidelines acknowledge the benefits of complexity is usually outweighed by the downsides. As humans (without an eidetic memory), we can't hope to remember the bizarre auto-generated strings of text, numbers and symbols. So we might be tempted to record them in clear text: on a notepad, a sticky note, or (shudder) in a spreadsheet. Easy for us to use - but also for others with less than pure intentions to find.

So - what's the solution?

Creating a longer, memorable password (pass phrase?) that is unique might be solution to storing your passwords in clear text for others to find. I've seen others use a formula to create a pass phrase, a combination of the site address (or title) and personal text to ensure memorable uniqueness.

I've seen others create a non-memorable, nonsensical password that they never intend to remember - relying solely on the 'reset password' process every time to gain access to the website.

This is a guideline or recommendation for everyone, but better off than reusing the same (complex) password on multiple sites, or storing passwords in clear text.

Of course, using a password manager is an even better solution.