Password manager + two factor authentication whenever possible. As for the former: Opinions here differ but my recommendation would be not to trust a "cloud" password manager and employ an offline password manager instead. KeePass works great for instance and is open source and cross-platform.
While an offline password manager is inherently more secure, at some point you're either going to have to store the database on a cloud somewhere or worry about constantly keeping your databases in sync. Whether you store it in Dropbox/OneDrive/Google/etc. or use LastPass or another service, there's always going to be some risk.
At present I still recommend LastPass because that way you can easily have everything synced on your computers, phone, etc., and it's easier to convince people to remember one strong password and let LastPass handle remembering all the other strong passwords no matter what device you're on.
Sure, with an offline password manager backups and synchronization are up to you, but even if you end up relying on cloud storage it's a different story; for instance, if you store your KeePass database on a Dropbox account and said Dropbox account gets breached, at least you know that unless there's a flaw in the encryption algorithm used by KeePass, the password database cannot be decrypted without the master password (and brute forcing it should be very impractical if the master password is good enough).
If you use service like LastPass or 1Password you can never be entirely certain that a breach or a security flaw in any of these services isn't going to expose your passwords. I'm sure they use the proper encryption measures, but like the Dropbox breach shows, shit happens and companies get hacked.
I'm not saying never use a cloud password manager, but understand that the added convenience comes with added risk; I would definitely not make my company depend on them.
There's really not much of a difference between syncing via Dropbox (or similar products) and cloud services with the following characteristics:
- Client-side encryption, meaning the service has no way to obtain your cleartext passwords (short of planting a backdoor, which is a vector that applies to all password managers).
- Full offline support, with the ability to export your database. This becomes relevant when the service is down, you're running into billing problems, or if the company goes out of business entirely.
- Availability of a native client (as opposed to web apps or extensions that act as a thin layer on top of a web app). Planting a backdoor that leaks your secrets is significantly harder when you also need to compromise the vendor's signing key, as opposed to just breaching their web server and adding some JS file.
I just sync my 1Password via WiFi between my phone, work computer and personal computer. It's really not that much work either. Well worth keeping the vault of the internet.