I see from another comment that vBulletin uses MD5(MD5(password)+salt) - I'd expect hashcat to be able to still blast through that at something north of 2 billion c/s…

That'll search the entire 32million entry list of Rockyou passwords in under a tenth of a second, and all 9-lower-case-letter passwords in an hour - or two hours if you include all 9char combinations with a single leading uppercase char. The rulesets that hashcat can use almost certainly means that any admin password which was human-created and under about 20 characters in that leak has already been cracked (anything made out of names or dictionary words with guessable letter/number/punctuation substitutions and leading/trailing digits - M1ffyTheC@t is not unguessable)

Modern password cracking is really quite sophisticated. They've taken to using words and phrases from common websites such as wikipedia in addition to ordinary words.

You really can't manage passwords in your head any more. At least not enough of them.

In my head I've got three banking passwords, two domain registrar passwords, and one "important email account password" (which is backed with TFA) that's the email that password resets get sent to - all are 16 random chars, and also two five word GPG passphrases. Those are _only_ in my head (well, one GPG passphrase is also in a sealed envelope in work's safe). Everything else is in 1Password locked behind a 7 word (intentionally misspelled) pass phrase – there are right now 866 sets of credentials in there - mostly 16 or 25 character (depending on when they were created/updated) random upper/lower/digits/special strings - with a few exceptions where sites/services won't let me use 25char passwords or sometimes prohibit "special characters" (Like your slow cryptographically secure hash function is susceptible to SQLi or XSS? That's why I can't use quotes or angle brackets? Really? Or are you actually incompetent?)

The 1Password file is synced between 4 machines in two physical locations plus 3 mobile devices, and time machine archived on one machine in both physical places - and one of those time machine archives is EncFS encrypted and stored on Dropbox and archived on S3 weekly, the other is daily rsynced to a pair of local drives. The passphrase isn't written down anywhere - but a hint which'd remind _me_ of the passphrase but would be innocuous/meaningless without sufficient context is written down and safely stored in two places. I _would_ be screwed without my 1Password data.

In my more paranoid moments, I wonder if both EncFS and 1Password's encryption is reliable enough to make leaking that file to Dropbox (which means S3/Amazon, which means the NSA if they're ever curious enough to ask Dropbox and/or Amazon for it). I also wonder about the attack vectors I've opened by having the 1Password file and app on two iOS devices - potentially leaking them to Apple and hence the NSA. But if the NSA ever come looking at _me_ specifically, I'm going to assume I've lost everything already. I don't _think_ any of that'll get caught up in dragnet surveillance though (except for when I get clients asking me to mail them hosting/admin/registrar credentials to their gmail or yahoo email addresses - facepalm )

(Actually, I also have my AppleID password "in my head" - since I need to type it in too many places where 1Password can't autofill it for me...)