[mudil]

After Gawker was hacked (and my account with it), I have created a website that tells average folks how to solve these issues: http://www.passmix.com/. It's not a perfect solution, but it's way better than the same password for different websites.

[anonycoward]

From what I've read this (and methods like it) seems to be a common way to generate passwords. This seems to be a somewhat weak implementation though - imagine you used this method with the same base everywhere, and 2 sites were hacked, let's called them InLinked and Kergaw. Using the examples from passmix.com with base 'house cat' I might end up with: 'housei!n8cat' and 'housek!e6cat'. Say I'm targeting you specifically, I look at these two passwords, and I see that they both follow 'houseX!Y#cat' format. It's only a moment longer before I've a good guess at how the password is constructed, and then try it against your email. Once I've cracked your email I can just use the forgot password feature of any other site to reset your password there.

It would be quite easy to write a script to detect the similarity with the two passwords (9 characters in common, same positions, same length = 12).

You should never use the same password across sites, nor should you use the same password system unless that system is secure. Assuming you can keep your algorithm for password generation private, passing this through a one-way hash function might then strengthen your password a bit (at least a hacker couldn't easily visually derive your password algorithm, or that you are using one) but this still isn't perfect.

Generally it's not a good idea to tell people how to construct passwords unless you're an expert in cryptography. I'm not, so please don't take any of this as advice on how to construct a password. It's advice on how not to, if anything.