I have accounts at probably 100's of sites. Am I to understand that I am supposed to remember each one of them and dutifully update them every month or two?
Yes; of course if most of those accounts are moribund and unused then you don't need to change them so often, but the passwords you use frequently should be changed at regular intervals. It's pretty commonsensical once the threat is understood.
So the implication is that I have 100's of passwords all unique and that I must change every one of them to be something new and unique every few months. And remember each of them. And not write them down.
Yes; of course more than a couple of dozen random passwords or passphrases will be hard to remember, so look into something like 1Password, PasswordSafe or LastPass to help you with that - amongst others. It goes without saying that your password database should be protected by something really quite long but memorable to you.
* Create a strong password for your account, one that includes letters, numbers, and other characters.
And that each of those passwords needs to be really hard to guess that I change to every few months on 100's of web sites.
Yes. My 1Password configuration for my work system is for 16 character random passwords, sprinkled with punctuation and mixed case. My home one is less thoroughly set up but is being migrated to the same. They are this way because I have both read and understood the performance statistics for some software called "Hashcat" which I have seen burn through every single 1 thru 8 character lowercase alphanumeric password in 32 minutes, on a single Alienware gamer laptop. Imagine what it can do on AWS.
I'm sorry, my brain doesn't hold that many passwords. Unless you're a savant, neither does yours. So what you're telling me and the rest of the world is impossible.
Stop using your brain, use a computer.
What's most pathetic about this is that somebody actually believes that we all really deserve this finger wagging.
Yes, some people evidently do. -a