Well, it depends. The risk of using the same password for all of your web sites is that if one web site is compromised then bad people can take the user IDs and passwords, then try them against a large number of other web sites (like Amazon.com, USBank.com, etc). So what happens is that a simple web site like quilting.org gets attacked by hackers, and a few people who use that web site later find that their saving account is empty, and all of their money was sent to Russia…

Nobody can. The most paranoid use a different user ID and password for each and every web site, and then keep a paper copy of the IDs and passwords (or an encrypted file with the information).
A more reasonable system is to separate the web sites you use into three categories:

1. Financial Institutions (banks, brokers - any place that has direct access to your assets). You really want to be careful with these; you often don't have any protection for fraudulent interactions with these. Unfortunately, nobody has shown me anything better than using a different user ID and random (and long!) password for each web site, and keep these on a piece of paper at home, or in an encrypted file. Remember, a good password does NOT include names, any word in the dictionary, addresses, etc; it should look like you put all of your fingers on the keyboard at once and typed random garbage!
2. Any web site that has your credit card number. In this case, you usually have protection against fraudulent transactions, so you can loosen up a bit here.... A good method is to use the same user ID on all sites, but use a different "derived" password for each site. A "derived" password has two parts: a fixed part which you memorize, and a part which depends on the web site. For example, if the 'fixed' part where the first letters of a favorite song (O Come, O Come Immanuel) and then every other letter in the web site, a password for amazon.com would be "ococIaao"; for barnesandnoble.com it would be "ococIbreadol" - a pretty good password and easy to remember. Be sure to include some capital letters as well as lower case letters in your "fixed" part (adding numbers would help too, but may not be necessary)
3. All the other web sites that want a userID/password. For these, the "risk" is that somebody may use your good name in vain... maybe you don't care. If you wish, feel free to use something like mentioned for #2, but use a different "fixed" part; otherwise, just use the same userID/password for all of these sites.

   Two more things to remember about any password:

   • Length does matter. Even if you append the same thing to all of your passwords, adding extra characters increases your security.
   • Using capitals, numbers, and "special characters" (such as periods, commas, dollar signs) is also a great idea.
   
   See Gibson Reasarch Corporation's Password Haystack web page for a great explanation of why these last two items are important!