I have two passwords. One is a random 9 character string which I sat and memorised. Oddly, despite the nature of it, Yahoo deems it a low security password... begging the question of what they consider strong, or questions their algorithm for determining such things.
For all financial transactions; EFTPOS, POS, banking s/w, etc, I use a 10 digit number, again of no significance. I DO use a certain number 4 times which can be really frustrating for someone watching - as opposed to what some may think.
Finally, to really upset someone watching you, type in about 6 characters fairly rapidly and hit the backspace key 4 times (so they have to do a sudden 'unmemorise'), only to type the same numbers again. They will almost certainly not realise what you have done, as if done fast enough, they will still be trying to work out which character was wrong. I see this as a simple yet very frustrating way to deter those who snoop.