(my tinfoil hat mode: I don't even have any important secrets but I believe in knowing how to protect them)
Use /dev/urandom, not a website. Make sure you have configured your text editor not to automatically save any backup files, cut buffers, or the like, and never write it to disk in unencrypted form. (I use vim >= 7.3 and its blowfish encryption; see encryptedvimrc and random_alnum in my scripts https://github.com/idupree/scripts ) If you copy/paste passwords, make sure you don't have a clipboard manager that persists recent history to disk. Also, encrypt your filesystem in case you screw up on any of the above. If you have swap, make sure that's encrypted with a generated-per-boot-from-urandom key generated after loading last boot's stored entropy from the disk. (A dedicated password-managing program might do some of these things for you. I haven't looked into their security methods yet; have you?)
If you can, use an email provider for your acct-registrations that uses decent security practices; use a high-entropy password for it; use different email addresses for every site, to make it harder for social engineering attacks (someone calling, say, Amazon or Apple's call center pretending to be you). The latter is probably hard unless you use your own domain or think '+' addresses are sufficient. If you use your own domain, you're vulnerable to your registrar or your account with them or your DNS being compromised, but you should have rigorous passwords and good registrars here because losing your domain name stinks. If malware gets on your computer, it can watch you and steal your passwords, so keep your system and browser up-to-date with security updates, disable riskier parts of your system that you can live without, prefer OSes/systems that are more on top of their security, and don't make enemies.
I don't understand why password managers like OnePass store passwords online; everything else they're doing as browser plugins is fighting the good fight. (True, there are risks of giving the browser the ability to access your passwords at all; but they're probably less than the risks of password reuse and low password entropy, and greater convenience means more people will use the system for more sites. Firefox Sync is the only consumer-friendly online storage that I've seen and consider well-engineered-&-documented enough to consider trusting. Tarsnap and Tahoe-LAFS also meet everything but the "consumer-friendly" bit there, and have a somewhat different focus. It may be worth considering encrypted online mirrors legitimate (online mirrors, not sole copies) for the sake of people who don't do backups, have multiple devices, and/or have their disk fail or device stolen.).
At least the last time I used it, Google Checkout had an opt-in feature that would create a unique unguessable email address the first time you purchased something from a shop, and this email address would be proxied to your GMail account.
Use /dev/urandom, not a website. Make sure you have configured your text editor not to automatically save any backup files, cut buffers, or the like, and never write it to disk in unencrypted form. (I use vim >= 7.3 and its blowfish encryption; see encryptedvimrc and random_alnum in my scripts https://github.com/idupree/scripts ) If you copy/paste passwords, make sure you don't have a clipboard manager that persists recent history to disk. Also, encrypt your filesystem in case you screw up on any of the above. If you have swap, make sure that's encrypted with a generated-per-boot-from-urandom key generated after loading last boot's stored entropy from the disk. (A dedicated password-managing program might do some of these things for you. I haven't looked into their security methods yet; have you?)
If you can, use an email provider for your acct-registrations that uses decent security practices; use a high-entropy password for it; use different email addresses for every site, to make it harder for social engineering attacks (someone calling, say, Amazon or Apple's call center pretending to be you). The latter is probably hard unless you use your own domain or think '+' addresses are sufficient. If you use your own domain, you're vulnerable to your registrar or your account with them or your DNS being compromised, but you should have rigorous passwords and good registrars here because losing your domain name stinks. If malware gets on your computer, it can watch you and steal your passwords, so keep your system and browser up-to-date with security updates, disable riskier parts of your system that you can live without, prefer OSes/systems that are more on top of their security, and don't make enemies.
I don't understand why password managers like OnePass store passwords online; everything else they're doing as browser plugins is fighting the good fight. (True, there are risks of giving the browser the ability to access your passwords at all; but they're probably less than the risks of password reuse and low password entropy, and greater convenience means more people will use the system for more sites. Firefox Sync is the only consumer-friendly online storage that I've seen and consider well-engineered-&-documented enough to consider trusting. Tarsnap and Tahoe-LAFS also meet everything but the "consumer-friendly" bit there, and have a somewhat different focus. It may be worth considering encrypted online mirrors legitimate (online mirrors, not sole copies) for the sake of people who don't do backups, have multiple devices, and/or have their disk fail or device stolen.).