A framework for modeling password management risks and costs, and the beginnings of a good strategy for users to help them manage passwords for their often large portfolios of accounts is outlined in the paper Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts | USENIX Security 2014 (note the full pdf text is already available). It is covered e.g. at
Mathematics makes strong case that “snoopy2” can be just fine as a password | Ars Technica
Microsoft researchers: Re-use the same password across sites likely to be hacked | Network World
Basically, since it is impossible for users to remember good, unique passwords for dozens or hundreds of different accounts, and since some accounts have low risks to the user if they are compromised (e.g. passwords to log in to a newspaper site to read stories), they explain that "password re-use can be part of a coping strategy". They suggest that people can group together accounts with high value plus low probability of compromise, and those with low value plus high compromise probability, and reuse the same password within each group. Their analysis covers password managers, which shift some of the risks around, to some degree also. On that topic see also How to evaluate a password manager?. I'll add that hybrid strategies can also make sense, e.g. using a password manager for some groups of accounts.
They note the need to understand and explain how users can trade off user effort at remembering passwords with the probability that the password is compromised. This site has gathered some wisdom relative to that: What is your way to create good passwords that can actually be remembered?
They also note the need for future study to understand, model and explain the losses due to compromises of various types of accounts. So my question for the risk-management experts and those adept at explaining things in ways that connect with users is, how can we best help users understand the kinds of risks they face if accounts of various types are compromised? E.g. compromise of a password for an online bitcoin wallet presumably means the unrecoverable loss of all the bitcoins stored there. But compromise of the password for reading articles on a newspaper site may have little or no meaningful impact on the user, and in fact some groups of users try to share accounts and passwords for these sorts of sites with their friends. Other kinds of accounts are traditional banks (with some hope of recovery of stolen funds), social media, email, work-related passwords, web services, wifi access, encryption keys, etc. Sometimes the losses may not be obvious to the users (e.g. risks of identity theft, reputation loss, etc).