The common practice is to use password managers.
"not convenient\difficult\paranoia" - now everyone will rush to dissuade you, yeah, they fled.

Use password managers, of course, no more.
What is your paranoia? For some reason, I can’t believe that it can be difficult / inconvenient compared to storing in my head.

should be changed every two months

Once I decided for myself:
login = domain + salt (or your)
password = domain + login + salt2
salt, salt2 something that you will not forget: index, date, cat's name.

Good and advanced services have many account protections.
1. Check that the password is sent ONLY in encrypted form or via SSL!
2. Password (any and can not be changed) + E-MAIL + SMS + Google Authenticator + filter by IP address / subnet + OAuth / SSH tokens are still available, etc.
In general, the question is good: you need to scribble the article: "Accounting in the safe"))
Let's create a function (formula):
Function: login, hash: sha1(domain+"salt"), current date of creation/change of password, alphabet of all possible characters in the password, the requirements for the formation of the password and its own "salt".
On an input: only the domain.
Then we calculate the hash and by hash'u - we find the login and after: we calculate the password.
At the output: we get a login and a ready-made password
. That is, without knowing the domain and the formula, you cannot find out the exact login and password.
The password is not stored anywhere.

Take your favorite book...
https://en.wikipedia.org/wiki/%D0%9A%D0%BD%D0%B8%D...

If the service is equipped with 2-factor authentication, the complexity of the password does not play a role at all, you can at least use vasya123. And all serious and important services are already equipped with a 2-factor, incl. and cloud storage. Somewhere authorization confirmation comes via SMS, somewhere OTP applications are used. OTP all work on the same principle, you can use any. For example, I use Yandex Key for Android, which works great with both Yandex and Mail, Dropbox, Google, OneDrive, and even my own Nextcloud accounts. Before the widespread use of 2-factor, my accounts were still stolen from time to time , and the complexity of the password did not play any role. I restored access, of course, but that's all nervously. After the introduction of 2-factor - never. For all kinds of garbage sites and one-time registrations, you can use one-time e-mail, there are many such services. The purpose of creating such mail is to get a link to confirm registration, click on it and forget. They will hijack the account of such a site - and figs with it.
PS When I ran into difficult passwords, I used the most difficult combination that I knew from memory, namely - J3QQ4-H7H2V-2HCH4-M3HK8-6M8VW =) Naturally, not in this form, but there was a certain algorithm. For example, for sites of one group, I used this principle - before each block, special. character, the first letter after the first digit in the block is capital, the rest are lowercase, dashes are skipped. It turned out something like this - ?j3Qq4?h7H2v?2Hch4?m3Hk8?6M8vW. For sites of another group, a different special character and all capital letters were used, lowercase only the first after the first digit in the block. For junk sites, I used only the first two blocks and a simplified principle of formation. Etc. That is, only a supercomputer could crack such passwords in a couple of centuries, and still they stole accounts. Xs (who knows) where I slammed this moment, because I follow the system carefully, I don’t have malware, trojans and everything else.