This is something that EVERYONE needs to take note of... Including myself. I am extra cautious with my passwords yet still got my Paypal hacked into a while back.

This is a great idea. I have a really hard time keeping up with all my passwords. I don't want to write them down and I don't want to store them on my computer or at one of those password storage sites.
Time to start changing passwords.

Needs numbers and symbols.

Passwords are the thing I hate the most about modern technology :P Someone integrate retinal scanners into LCD monitors please... Then I just have to worry about getting my eyeball cut out, Demolition Man style.

this is great except most sites are requiring that you have numeric and special characters in your pasword now a days...

Some sites need numbers AND letters, so my rule for ALL sites (I do a similar thing to the OP) is to replace any "i" with a "1" and "o" with the number zero. Mixes it up just fine, easy to remember as long as you're 100% consistent, and makes the passwords more secure.

I won't admit I've been doing this for years because if I admitted it, all it would take is for someone to figure out the one phrase I use for every single login, then add the necessary letters of the site. My entire e-life would then be exploited.

But for everyone who is not me, this is a great idea. ;)

I had something like this, but I ran into some sites that limit the characters to 8 and blew it up.

Writing down your passwords is not as horrible as people make it out to be. It's not possible to hack a written sheet of paper, and I would think most people are in fairly low danger to have a sheet of paper stolen from a desk drawer.

Also, don't use family or pet birthdays/names. It's not original, and it's not secure. The 1 at the end of your password to fulfill the digit requirement isn't original either.

@B: Exactly, I don't have a single password that doesn't have a good mix of letters, numbers, and symbols. Also makes for long passwords. But that's okay, all these traits makes for secure passwords. Just remember to change them often.

@B:
A number could be the number of the words in your phrase, the square root of that number, the number of words plus the number of your address, along those lines. Would still be easy to remember. Then throw in the symbol that corresponds to the first digit of the number you choose.

"are resistant to brute force cracking"
The whole point of brute force cracking is that people only use letters in there passwords. You need symbols and numbers to be resistant to brute force cracking.

@supergaijin: i do this as well

Another alternative is to remember a really complex password and have the rest of your passwords on an encrypted file that uses that password to open up on your computer...just make sure you close out the file when you're done.

@Danj3ris:

As you point out, the security this adds is far from fool-proof. It'll thwart an automated attempt to get into your account, but it won't stop a human being.

The only problem with this is that *some* of your passwords are going to match since, as with the example of facebook, there are a lot of sites that start with F and are only 1 word.

Of course, if somebody figures out your "key phrase" by getting 2 or more of your passwords, your kinda toast.

In the end, doing this is probably a lot better then relying upon FireFox to remember your passwords!

Ugh, passwords! Already have too many of them, but some sites require special characters and some sites explicitly forbid them, and remembering which site has which rule absolutely drives me bonkers.

Also, I have a site I use at work that requires me to change the password every three months. I hope no one figures out all I've been doing is incrementing the number on the end of the password. *ahem*

@snowburnt: similar to this is to use a complex password to get into your computer and encrypt the file there. There's a few free encryption places out there and windows comes with some utilities you can use with a certificate.

It's complex at first but makes sense after a little while

The thing is, every site wants something different - long, short, caps, numbers, special characters, no two characters the same or in a row, etc.

Oh, and people who design these things? If your password rules have exceptions like this, please provide them as a hint for when I try to log in again. If you told me it has to be 8 characters long and have a letter, number, and symbol, I need to know that when I go back to the site to log in.
/rant

An incrementally safer way to do this would be to obfuscate the prefix. If someone finds your Wells Fargo password and notices the first two letters are "wf", they may be able to deduce your password theme and log into your other accounts. Instead of using "wf", shift each letter by a set number, say, +2: W becomes Y, and F becomes H. Instead of wfihwtmptr, use yhihwtmptr.

This is bad advice.

Here's why:

This only protects against simple dictionary attacks.

A brute force attack on a fihwtmptr would take a few hours with a distributed machine attack.

You're way better off using a passphrase. Once you get to 16+ characters, it makes it nearly impossible to bruteforce a password within reasonable human time.

Here are some numbers: [www.lockdown.co.uk]

This of course glosses over things like Conficker, key loggers, phishing and man-in-the-middle attacks.

I've used this on some sites - will mix it up by using the first and second names of a site - PetSmart, for example, or USING CAPS.

Just like physical credit cards, though, no one is interested in *your* numbers, they want 10,000 numbers. So best security is insuring you don't have spyware/vuruses running.

No numbers or symbols? Not even upper case letters? that is a horrible password. Nowadays, with the advent of things like "rainbow tables" that can crack any passwords of up to a certain length in seconds, you have to have really, really long passwords to have a chance. there are actually tools for this, such as keepass ([keepass.info]) that will not only store, but generate your passwords for you! People may get all upset about this, having them all written down, but in my experience (I've been in IT for 10 years now) the biggest risk is an external site getting cracked, not your local stuff. This tool is open source, and many, many people have pored over the code to figure out how to crack its security to get into its database. As long as you remember one very good password, your set.

How many times do we hear about passwords getting broken at myspace.com, or an e-commerce site. It is much more important that all the passwords be random, and different. (ie, so if they crack my amazon password, they cannot easily figure out my Wells Fargo one).

On a side note, rainbow tables are a great thing to demonstrate at work, to make bosses sweat very, very profusely...

I AM sure that someone will use these passwords for their account. Thats the sad part. Come on whats so hard about having many passwords. Cell phones and pdas have made our brains lazyyyyyyyyyyyyyyyyyyyyyyyyyy wake up and start reusing the best memory out there. will stay with you longer then your cell and pda combined.

@B: You could incorporate number and symbols into the phrase:

STAR Light STAR Bright, FIRST Star I See Tonight =

*L*B1SIST

@B: Needs hieroglyphs, now no one will know the password, except anthropologists in the field of ancient egytian.

I do something similar - want to know when this fails? When sites change names or merge.

Some of the genealogy websites have done this, and now I'm unsure which "password" was used for the site that is now under a new name.

@QuantumRiff: One word: Salt

An easier and more secure approach that addresses all of the size and character requirements that the method in the article conveniently ignores is PasswordMaker (passwordmaker.org).

Keep in mind that cracker dictionaries will often have well known phrases or series like this -- so don't use something commonly known like mvemjsun (names of the planets), roygbiv (color spectrum) or omfg (well, you know).

Also avoid "hacker" or texting slang, because dictionaries and scripts will accommodate for that. Changing "bankone" to "b4nk0n3" doesn't really afford you extra protection.

I create passwords as combinations names and birthdays of ex's.

@enm4r: What you should do is just write them down and keep them locked up.

@B: Our work network passwords MUST:

Be more than 8 characters long
Have uppercase and lowercase letters
Have numbers
Have special characters
Cannot contain any word recognizeable in any language that it checks
Be replaced every 30 days

And you can't use any of your last 10. Also, the password you use for your e-mail / intranet access has to be different than that one, and subject to the same restrictions.

There's "security," and then there's, "no, seriously, I can't remember this shit anymore." I basically just end up moving the same punctuation mark backwards one place at a time for a year.

Use numbers and the names of other people's pets!

The biggest problem with this, for some people, is the fact that you often don't get to choose your passwords or you have to choose a password that other people will share--for a server login, for example.

I've been using KeePassX for several months and love it.

Then again, this advice doesn't help much when you're forced to regularly change your password every month or so.

What a great idea. I have been using the program keypass to manage all my passwords, but I don't always have it with me. This would really simplify things for me.

Why bother shortening it? Really long passphrases are much more resistant to brute-force attacks. If you use "IHaveWayTooManyPasswordsToRemember" as your password, that's 135-bit strong. Easier to remember, easier to type. By shortening it to "ihwtmptr', you're reducing it down to 36 bits.

When can I start using my RSA key generator to log into everything? At work, I have RSA authentication to log in from home which consists of several characters of my choosing appended to a 6 digit number off of a key card that changes every 30 seconds. Assuming you don't lose your key card to someone who can guess your other characters, it should be a lot safer than traditional passwords. Also, if you lose your key card, you usually know right away and have it changed. If someone steals your regular password, you don't have a way of knowing it too quickly.

@pecan 3.14159265: I have it tattooed on an intimate area of my body. Luckily only six characters are required, or I'd need Extenz.

@Mr.DuckSauce: Sounds good, but I don't have any hieroglyphs on my keyboard.

@enm4r: I also write down passwords that I don't use all that often and am prone to forget. However, I don't write the entire actual password, just enough to jog my memory.

For example, if my password were "Bosco99," I just write "B99." That's enough to remind me that I have a password called Bosco, and not enough to tip off anyone who might find the piece of paper.

The method in the article seems pretty good until you realize that everyone who reads it is going to use "ihwtmptr" and it's going to replace "password" as the most used word out there.

I remember the good ol' days when my password was "password".

@QuantumRiff: Wow, "keepass" is an unfortunate name... there's really only one way to read that.

@Etoiles: 30 days is excessive for password recovery, in my opinion. Same as requiring too many different passwords and having a 3 log in lock out.

too many restrictions will create more problems like people writing down their passwords and taping them to their monitors.

Network security guy 1: "Great, no one can crack these passwords"
Network security guy 2: "They don't have to, the cleaning person took the sticky from this guy's monitor with his login and password

Use PasswordMaker extension!

@balls187: To truly be secure with pass phrases you need to add in one or more of:
* some random special characters
* a very obscure word
* a misspelling

Otherwise you have limited the search space to just V^^N where V is the size of your common word vocabulary (likely a few hundred), and N is the number or words in your phrase (likely 6 or less).

@balls187: Yep. Rainbow tables won't practically help you crack anything unless you a) have access to the ciphertext of the encrypted password and b) they aren't using proper salt.

Also, rainbow tables are not new, at all.

@mschlock: You're not alone......I know when I worked helpdesk support almost all of our salesmen did this. It's sad when you work on their PC again and find that the password is still Password1 or 2 or 3....