[joeguilmette]

I am the only person I know who uses a unique, memorable and strong password for every site I use. I store all of them in my head.

I have a base password and I add the first several characters of the site to the middle.

For example:

Facebook - sdfb231a2

Hacker News - sdyc231a2

Yahoo - sdya231a2

For strong passwords I can add a suffix to further strengthen the password.

PayPal - sdpa231a2a4

I use the same suffix for all "strong" passwords. If a site requires a capital letter I always capitalize the first letter.

I've gone to create an account with a site, been told I already have an account and I get the password in 1 guess because I'm so consistent with creating them.

I don't know why everyone doesn't do this.

[jasonkester]

What do you do when you log in to your bank and they tell you that your password has expired and that you need to create a new unique 6-8 character password with exactly one capital letter and one number but no special characters? And that it can't contain any part of any of your old passwords?

I guess the same thing you'd do if you ran across a site with this well intentioned but terrible idea: write it down or email it to yourself.

The only sane thing you can do as a developer is let users chose any password they like, regardless of how insecure you think it is. Store it correctly and that's the end of your involvement. Let your users do what they want, or you'll just make things worse.

[joeguilmette]

I have a standard set of characters that I add to passwords. So far Craigslist has been the only site to really throw me for a loop. I try to be consistent but I end up using 'Forgot my Password' more than I should with them.

They are the only ones.

[mutagen]

I've done a bit of this and I suspect a few others have considered something similar, if not doing it themselves. I'm concerned about leaking a couple of these types of passwords, enough for someone to notice the pattern and apply it to the rest of your online presence. I'm sure there are black hats building personal databases of every password leak that goes by and it wouldn't be hard to do some sub-string matching to identify people making simple patterns like this.

I'm also concerned about a targeted attack against my online identity. I've had a couple of online acquaintances be the victim of targeted attacks, one holding accounts hostage as a sort of online blackmail. Someone who compromises a couple of random forums and picks up on the pattern now has the key to your online identity. I'd mitigate it somewhat by using multiple prefixes and suffixes, one set for 'throwaway' accounts and others for more important stuff. Even that tactic has issues, do you remember to change your password for that throwaway site that blew up with success and now your account is part of your online identity?

The alternatives aren't too reassuring though, I balance these risks against the possibility of my KeePass, LastPass or browser password list getting compromised.

[joeguilmette]

I don't think I am interesting enough or lucrative enough for someone to expend that much effort trying to hack my accounts. If they compromise my password on one service (and presumably gain access to thousands of other passwords), if mine is unique and others aren't, I'm betting the attack (on me) stops there.

[paulgb]

That seems like what SuperGenPass (http://supergenpass.com/) does, but with more effort and easier to break. Essentially, with SGP you type a master password into the password box and click the button in your browser (you don't have to install anything, just bookmark the javascript). It uses a one-way hash to create a unique password based on the domain.

[joeguilmette]

I guess, but my method only uses my brain. I can access my accounts using an internet cafe, someone else's iPod Touch, etc.