The worst part of this is that memorizing passphrases is far easier than passwords. Compare:

mydog'snameisAliceandsheiscute

to

P@ssw0rd

The latter is harder to memorize (what letters did I substitute with symbols again?) and far easier to crack.

I suspect until regulators make people use encrypted email we'll keep using plain-text.

I'm a big fan of passphrases for important sites. For most sites I use a randomly generated pw that's stored in a password manager. I use separate pw managers for home (1password) and work (lastpass).

Since a pw manager can be cracked, for important sites (financial , email, etc), I make up a sentence that describes my feelings about the site. These I keep memorized. As a bonus, as my feelings about the site change, it's a great prompt to update my password.

I'd like to throw a layer of physical security into the mix (eg one of those usb keys), but it seems like there still aren't universally accepted options. Anyone have suggestions for this?

LastPass supports 2FA (Yubikey, Google Authenticator, etc.) and it's pretty seamless and works well.