Create A Different Password For Every Site And Never Forget A Single One

So many logins to keep track of. You can use a handful of strong passwords across all your accounts but if somehow one gets figured out, your entire networked life could be at risk. But by creating an easy-to-remember pass phrase that uses part of the website’s name it its construction, you have a unique strong password for every account you have without ever even writing any of them down.

The password is made out of a passphrase prefix + the first three letters of the website. The root passphrase stays the same, but at every different site you register at, you add the first four letters of the website’s name to the end of the phrase.

So if your passphrase is “gatekeeper” and the website you’re registering at is “Facebook,” your password would be gatekeeperfac.” For your American Express card, “gatekeeperame” and so on.

Of course, to make a strong password, and some sites will require this as well, we want a mixture of upper and lower case letters and numbers. You could end up with lKsafBd983 but that’s not very easy to remember.

Instead, take a word or a phrase you won’t forget and convert that to an alphanumeric phrase.

For instance, “I like to tweak noses at night when I’m sad,” could become 1L2TN5D.

Combine that with the first four letters of every site you register for – 1L2TN5DFac, 1L2TN5DCon, 1L2TN5DBan and so on – and you’ve got yourself a unique strong password that you’ll never be frantically searching for that old sticky note you wrote it on to figure out.

Just remember that many sites require passwords to be at least 8 characters in length and sometimes under 10, and to never tell anyone your naming scheme.

Comments

Edit Your Comment

  1. SuperNinjaâ„¢ says:

    Great Advice. “Choosing a Password” should be part of “Computers 101″. It’s essential.

  2. lymer says:

    The only downside to this system is some websites have a character limit for passwords. That will throw you off.

    • duxup says:

      And some require special characters, some do not. My credit card company has an INSANE number of rules and the only thing I can do on their site is view my bill and request my cash back check.

    • Rocket says:

      Websites that have a max length for passwords scare me. How are they saving the passwords that they can’t be any length? On my website, I md5 all passwords, so I don’t care how long (or short) they are.

    • alaron says:

      Like american express. I have to truncate my password for them.

      • Jnetty says:

        Amex and Citi Student Loans are limited to 8 characters. Total lack of security.

        • scurvycapn says:

          That’s nothing. Before they updated a couple years ago, Key Bank’s passwords were limited to 4-6 characters, alphanumeric only, no special characters.

          I hate when places require numbers. My go-to password is upper/lower/special characters along the lines of !Nj#POfR I don’t need any numbers when I have a password like that.

          • shockwaver1 says:

            One of my credit cards has a 6 character password policy. No more, no less. And the password field actually prevents you from typing in more then 6 characters. Upper and lowercase only, no numbers or special characters. I hate that site.

        • jessjj347 says:

          If you think that was bad, TD Bank used to have SSN as account name when they were Commerce. It was not visible when typed, BUT there was a note to the side that said *please do not input any dashes* which didn’t give a *hint *hint or anything…

    • wildhalcyon says:

      Any website that has a character limit (usually 8, but I’ve seen 16) for passwords is bad news. Why? They almost surely store the password in plain text in a database somewhere. Unfortunately, I see this in financial and “secure” business institutions all the freaking time.

      The best sites will usually have either an “unlimited” character policy, or something suitably long (> 32 characters)

  3. Loias supports harsher punishments against corporations says:

    what about corporate passwords that require you to change them every 90 days? Or any password that you’re forced to change and cannot change immediately back because of security programming?

    I like this though, I may actually implement it.

    • backinpgh says:

      then add another number to the end. i.e. masterpasswork1, masterpasswork2, etc.

    • Applekid ┬──┬ ノ( ã‚œ-゜ノ) says:

      If it’s a regular system, I generally attach a “Month Year” algorithm at the end of it. I recommend encoding it somehow. I know my first 10 digits of pi, so, I use them 0-indexed against the units digit of the year, for instance, this year, 3. I’ll map month to letters, but, if you know something with 12 (Astrological signs, Apostles) you’ll have plenty of space.

      My workplace requires changes every 45 days. I just man up and change it every month. No one disallows changing more frequently than required.

      In systems that I don’t log into for a while that force me to update password, I’ll add a little toggle to the end. That way, by default, I’ll login without the toggle, find it mismatched, try it with “odd” at the end, and if mismatched again, try it with “even”. That way I get three attempts and avoid locking my account, and, when I get in, I just change it to the other one.

      I haven’t encountered a sporadic forced-expiring system that disallows all previous passwords, but, I guess for those I’d just keep a little notepad with a steadily increasing number and use that as a suffix.

      • ellemdee says:

        My work does not allow us to change it more frequently than required. If you set it and immediately decide you want to use a different PW, you’re out of luck. You get a week or two before the due date to change it, but once you set it, you’re stuck with it for a while. They also disallow PW’s that contain any part of your previous 12 passwords or any dictionary words or names, so we can’t just change a date at the end. And, of course, it has to have an upper case letter, lower case letter, number, and special character. The real fun is when we have to have our password reset by the system if we get locked out. A series of random characters is generated and we’re stuck with it for a while, and have to somehow remember it without writing it down. Yeah, it’s loads of fun.

        • Applekid ┬──┬ ノ( ã‚œ-゜ノ) says:

          I will pour a 40 out on the parking lot for your password woes. :(

        • Eyebrows McGee (now with double the baby!) says:

          My work is similar to yours … one strategy is to choose a book in your office and to pick a word from in there, and pretty it up, like “D!cti0nary” or something, and then you can write down the the location of the word in code — only you know which book, then you write 145a for page 145, upper left hand quarter of the page. Or 145-1-27: page 145, column 1, line 27. Or 145-27-8: page 145, line 27, word 8. Whatever. The point is, you can then write down the code to FIND your password, and it’s pretty secure, since the knowledge of which book is in your head and that’s easy enough to remember. And remembering which bits you replaced with leetspeak isn’t too hard when you remember the word.

          And the “code” to locate the word doesn’t look like much, anyway, and if you pick right it can always look like the combination to one of those spinny locks.

          • ben says:

            I recently started a new job and have to have passwords on several different systems. Each one has a different naming requirement and a different expiration policy. It’s not fun trying to keep track of them all. I haven’t come up with a good scheme yet.

    • HungryGal says:

      I do this, and I just change a sequential number- for example, “b5passphrase” meaning “b” for bank, “5” for the 5th change, and “passphrase” the generic password I use.

      Now I’m going to get hacked, I guess.

    • stormbird says:

      I worked for a company that had eleven programs you used on a daily basis, some with 60-day and some with 90-day mandatory password changes, some with mandatory capital letters in some spots and one that wouldn’t let you use a letter ever again in your password (it was a 60-day password change where three characters had to be letters- 16 months and you couldn’t make a new password). They had two password manager programs, one of which would let you change passwords for other programs and the other one said you could but would lock you out until the one IT desk in the world allowed to reset the system answered their email. I was locked out of a vital program for three months, as was my supervisor.

      I’ve read that the whole exercise is useless because you learn someone’s password and use it immediately. The password isn’t normally hacked in the corporate world, it’s scammed through social engineering or you just don’t close out when you leave the office.

  4. eli says:

    But isn’t the whole point so that if someone gets one of your passwords, they don’t get access to everything? Then why use such an obvious pattern? If I somehow discover your twitter password is L$2983Xtwitter, it wouldn’t be hard for me to guess your facebook password…

    How about something more robust like a password manager such as Keepass (free). You memorize one strong password and it encrypts all your other password (and anything else you want to keep secure). I use it with Dropbox (also free) to keep all my passwords synchronized across all my computers.

    • tkmluv says:

      This what I was thinking. It really doesn’t solve the “all my passwords are different” problem. Keepass and dropbox is a good solution.

    • DanRydell says:

      This! Such an obvious flaw in the system. I too use a password manager, it randomly generates strong passwords for me. Just make sure you keep a backup of the password database.

      It also helped me realize just how many websites I have usernames and passwords for. 120! Imagine if used the same password for 120 websites… or a variation of the same.

      I use 1Password on my Mac, I think there’s a Windows version available or at least coming soon.

    • ShruggingGalt says:

      +1.

      Came here to say the same thing.

    • DanRydell says:

      This! Such an obvious flaw in the system. I too use a password manager, it randomly generates strong passwords for me. Just make sure you keep a backup of the password database.

      It also helped me realize just how many websites I have usernames and passwords for. 120! Imagine if used the same password for 120 websites… or a variation of the same.

      I use 1Password on my Mac, I think there’s a Windows version available or at least coming soon.

    • notovny says:

      I use Lastpass (free version), myself, for a similar reason, and because it’s usable on everything. And even if you don’t want to give a Password Manager your Most Important Passwords, running one that can generate and manage secure passwords on the fly eliminates any temptation to reuse one of your Most Important Passwords when signing up for J. Random’s Poorly Secured Web Forums, or similar sites.

    • dotyoureyes says:

      Yes yes yes! A password isn’t “different” if someone can easily guess the differences. If you’re going to use a scheme like this, it’s important to make sure the rotating part of the password appears as random as the non-rotating part.

      For example, instead of “1L2TN5DFac”, which makes it easy to guess your Google password is “1L2TN5DGoo”, use (for example) the 2nd and 4th characters from the service name. Additionally, don’t put them at the end, and mix up your capitalization. So your passwords become “1L2tNaB5D” and “1L2tNoG5D.” (The “aB” and “oG” are the rotating letters.)

      With this scheme, if one of your passwords gets compromised, at least it’s not painfully obvious what all your other passwords are. If two passwords are compromized, you’re at much more risk, but at that point somebody REALLY wants into your accounts.

      (Of course, that’s still not as secure as a true random password and a service like Lastpass, but then you’re at major risk if your master password is compromised — so I’d call this technique a wash.)

  5. legwork says:

    That’s a reasonable convention for passwords, for sites that don’t trip you up with length, unique character or time restrictions.

    My suggestion for improvement would be to try lastpass.com. It rocks.

  6. guspaz says:

    That’s not really much more secure than using the same password for every site. If somebody compromises one password, they can crack the rest very easily using a guided dictionary attack, or even a simple guess if they know your naming scheme.

  7. samandiriel says:

    If you’re using FireFox, there is a super addon called “Sxipper” that not only stores all your passwords, but will generate random ones if you like and can be configured such that using any auto-fill password requires a master password:
    https://addons.mozilla.org/en-US/firefox/addon/4865/

    Even better, if you fill our forms a lot this thing has an extremely effective identities management suite that fills our the forms perfectly for you 98% of the time.

    I’ve been using it for years, can’t recommend it enough!

    • domcolosi says:

      There are two problems with a random password generator, though:

      -The password has to be stored, and there’s always a chance the file will be corrupted or something, locking you out. Not all sites have fast password recovery, so that could really mess things up for you.

      -You’ll also be locked out anywhere else in the world. You couldn’t check your facebook at a friend’s house, for example, since you wouldn’t know your own password!

  8. SerenityDan says:

    and now that you’ve posted this when someone gets a hold of one password and sees it ends in face, amer ECT they will know how to access every site you use….

    • Murph1908 says:

      Which is why I use a different formula for different levels of sites…banking/sensitve, shopping/standard, pron/lowly.

      • Murph1908 says:

        oops. Premature Submission.

        And I also have an alterization aspect to each password, that makes sense to me and I’d remember.

  9. temporaryscars says:

    I have about three or four that I use for various sites. Haven’t been hacked yet.

    • Nigerian prince looking for business partner says:

      I do basically the same thing. I have unique and very complicated passwords for email and then essential things like bank accounts, insurance, IRA, etc. For things like forums that I’m interested in, I’ll use the same password repeatedly, since I really don’t care if they’re hacked.

      For subscriptions to websites, forums I’m not terribly engaged in, and things of that nature, I’ll use a disposable email address and then the same password on all of them. 10minutemail.com is great for that kind of stuff. If I forget my password, I’ll just register with a new email address and login.

  10. keith4298 says:

    Or you can try this: https://www.pwdhash.com/

    • Mxx says:

      problem becomes when that site changes url :)

      • Harlan says:

        The source code for PwdHash is published, and there’s at least one independent web site with an applet for it. It’s as good as any solution…

  11. aloria says:

    If an attacker gets one of these passwords, all they have to do is do an extremely basic guessing game to figure out all the other passwords. You really think a hacker is going to look at amex and not figure out what you’re doing?

    You’re really not buying yourself anything with this.

  12. Murph1908 says:

    I do this.

    Unfortunately, there are still sites out there that won’t allow more than a certain number of characters, which blows this all to hell.

  13. diasdiem says:

    1L2TKN5DFace? That’s amazing! I’ve got the same combination on my luggage!

  14. backinpgh says:

    Many sites require at least 1 number and one uppercase, so keep that in mind when creating your master password.

  15. hypochondriac says:

    What about just using roboform? That stores the PWs on your computer, so you just have to remember the main roboform pw

    • Andy S. says:

      Bingo! We have a winner. I bought Roboform five or six years ago. Always free updates. Can’t say enough good things about that software.

  16. Applekid ┬──┬ ノ( ゜-゜ノ) says:

    Super easy. Just smash your face on the keyboard. As long as you do it exactly the same each time, and don’t gain or lose weight, it’ll work.

  17. Mecharine says:

    Or you could just use something like Keepass to do it all for you.

  18. Fineous K. Douchenstein says:

    Just hope none of our cyber thieves read Consumerist and see this…

  19. Oranges w/ Cheese says:

    Passwordmaker.org – that is all.

  20. TGT says:

    The suffix for the website is horrible advice. Once someone has one password, they still know all your other passwords immediately. Putting the suffix through a hash that only you know is better, but not great still. For example, Say your hash is 435. The “Fac” suffix would then become: F+4=J, a+3=D, c+5=H: 1L2TN5DJDH. If the attacker knew you were using a 3 letter hash and the beginning of the name of the site, they’d have all your other passwords, but at least the suffix isn’t human readable and requires more knowledge. A centralized hash suffix (for example: 1LJDH2TN5D) is much tougher to crack programmatically.

  21. bikeoid says:

    This is great advice – sure, a human might be able to figure a scheme out that includes the web site name, but often hackers will steal an entire database and blindly try the exact password on other sites such as banks, Amazon, and iTunes. So this method might even withstand a plain vanilla mass hack.

    • aloria says:

      Not really. It’s pretty trivial to write a small script to take all the passwords and try permutations against other sites.

  22. TornadoRex says:

    None of these are actually “unique” since it’s the same password just adding three, easily identifiable letters, on the end if someone guesses one password they’ve still guessed every singe one of your passwords.

    Personally I use LastPass but for those that don’t want to I’m a fan of the “move your hand over” method. For example take something you can remember like “awesomepassword” and move your hand in a direction or combination of directions on your keyboard. If I move my hand to the right one letter it becomes “serdp,r[sddeptf” if the site requires the password to be alpha-numeric you can just leave the letters in that the symbols represent. Thus the password is “serdpmrpsddeptf”. You can then take and make any letters you want number, thus becoming “53rdmrp5dd3ptf”. If you want caps you can set up a system via your number pad if you want where you move your finger one number in the same direction as your password from a chosen number and cap every one of those letters. So in this case if I move my hand one number from 2 it becomes 3, so I cap every third letter that isn’t a number. “53RdmRp5Dd3Ptf”. There ya go. A seemingly random password and all you have to remember is which way you moved your hand for each site.

  23. Dusty342 says:

    I second the use of passwordmaker.org. Started using it through a firefox plugin, then chrome and now on my android phone. Generates a completely different password for each site and only requires you to remember one password.

    Definitely worth a look.

  24. incident_man says:

    Why not print out a passwordcard?

    http://www.passwordcard.org/

  25. ben_marko says:

    If you have a Mac, I recommend using 1Password and DropBox. 1Password’s random password generator will make random password that I guarantee no bot or live person will ever guess. Then store your 1Password database in your DropBox folder online (only if you have 1Password installed on multiple Macs). Viola! Your passwords are instantly accessible from where ever you may be.

    • shockwaver1 says:

      Second vote for 1Password. Between it, dropbox, the windows version, and the iphone app I have all my passwords when I need them between my two computers.

  26. MarkSweat says:

    Irony. Took me three tries to remember my Consumerist password to post.

    I would add that this process should ONLY be used for “lower risk” sites, like blog posting, on-line shopping, Facebook, etc.

    Bank accounts, retirement accounts, and the like should have very unique passwords that cannot easily be guessed if someone hacks your Facebook.

  27. SphinxRB says:

    I use ROBOFORM add-on for Internet Explorer. It’s free if you only store 10 passwords or less. I purchased it so I could store as many as I want. Just have to type one password at each computer session, and it will fill in the login-passoword and even forms for you. It uses military type encryption, and will even generate passwords for you. Also, you can add GoodSync at no extra charge, it will sync your passwords to an online site, then if your computer crashes, you can still get them. I love it. Best add-on I’ve ever added. Some sites you will need to have it fill-in only (not fill-in and submit), and click submit yourself, but it still does it. You can even print them out.
    http://www.roboform.com

  28. maztec says:

    I prefer algorithmic passwords. The only thing that messes them up is when a website allows some, but not all special characters. Or, as AT&T used to do – truncate your longer password, without telling you, but hash it when you type in a long password .. so your password doesn’t match :

    I recently changed my algorithm (I do so every few years), so I am comfortable sharing my old one:

    Length: Max for site or 24 characters, whichever is shorter.
    The first 8 characters take care of sites that do not allow you to use symbols – as they are usually the sites that do not allow you to use long passwords :

    First Character: Last character in site name.
    Characters 2-8: ROT6 first 7 characters in site name. Repeat site name if it is not long enough. Put numerals in symbols, and capitalize every third consonant.
    Characters 9-15: Signup Month/Year, last numeral as a symbol, invert capitalization on month – e.g., 201(jUL
    Characters 16-21: ROT3 Someone’s middle name (I used a distant relative’s), spell it backwards, leetspeak it.
    Characters 22-24: My initials.

    Result is a unique password for every site that is difficult to reverse engineer.

    Example password for the Consumerist, assuming my initials are ABC and the middle name is Jupiter.

    tjuTyaRk2010(jULuhx1sABC

    Admittedly, I wrote a script that I put the details into and it generates the password for me. However, after a few entries I usually remember the characters for that site. If I forget, I can back engineer it. Furthermore, I can look in my browser history to figure out what month I signed up to the site.

    - M

    PS: That is not my real password and I modified the algorithm slightly from what I used.

  29. El_Fez says:

    Baravelli: You can’t come in unless you give the password.
    Professor Wagstaff: Well, what is the password?
    Baravelli: Aw, no. You gotta tell me. Hey, I tell what I do. I give you three guesses. It’s the name of a fish.
    . . . several unsuccessful guesses later. . .

    Baravelli: Hey, what’s-a matter, you no understand English? You can’t come in here unless you say, “Swordfish.” Now I’ll give you one more guess.
    Wagstaff: …swordfish, swordfish… I think I got it. Is it “swordfish”?
    Baravelli: Hah. That’s-a it. You guess it.
    Professor Wagstaff: Pretty good, eh?

  30. jayde_drag0n says:

    also try just aregular word you can remember.. and make it leet.. like the word password passover P@550v3r

  31. Riff Raff says:

    One thing I would like to suggest is do not alternate between letters and numbers frequently. On most mobile phones, especially those without physical keyboards, you have to stop typing to switch between alpha keys and numeric keys. On an application that you use often, it can be quite annoying.

    Regardless, I really need to implement a password manager scheme instead. I feel much more comfortable using random passwords that are almost unguessable, and do not compromise any other accounts if it is hacked.

  32. q`Tzal says:

    I use Password Safe (http://passwordsafe.sourceforge.net/)
    There is an Android version that lets you use the same master database: there must be an iPhone version.

    Why is it that despite the need for strong password that the companies that don’t allow special characters in their characters also have a nasty habit of NOT TELLING YOU that until they reject your new password as invalid? I’ve even seen a few sites that will reject my password choice and NOT SPECIFY what the bad characters are.
    There needs to be some website authoring convention that plainly and completely states the password forming rules. Or are these idiots going for security by obscurity?

  33. MrsLopsided says:

    I use un-hackable piece o’ paper – in cursive.

  34. KeithIrwin says:

    As a computer science professor who specializes in security, let me say: No!

    No. No. No! This means that you’ve basically given your one password to every site you use. Anyone who sees one of your passwords can figure out the rest. There is a much, much, much better solution:
    PasswordMaker (http://www.passwordmaker.org)

    This is available as a plug-in for Firefox, Opera, Chrome, and as an app on several different phone platforms. It also combines a strong password with the site name, but it does it using a cryptographic hash function, which means that it’s computationally infeasible to use one of the site-specific passwords to find your original password.

    If you use it as a web browser plug-in, it also protects you against many fishing attacks since the password it’ll generate for say citibank.com is different from the one it will generate for ci1ibank.com or citibank.cm or any other domain name.

  35. yankinwaoz says:

    Use Lastpass.

    It is free. But there is a premium version, $1 a month, that give you two factor authentication, a one-time-password generator Ubikey.

    Leo Laporte loves Lastpass. I’ve been using it for almost a year and have found it to be fantastic.

    • Fafaflunkie Plays His World's Smallest Violin For You says:

      …and even his security guru, Steve Gibson, loves Lastpass too. The current episode of Security Now! devotes itself to how Lastpass works, and how secure the passwords it generates are. And it’s free. (Yes, there’s a $1/month premium service that allows for two-factor authentication when logging in – i.e. a text comes to your cellphone, and you have to type the number in that text to ensure that you are who you say you are.)

  36. Carlee says:

    For less important websites (like email addresses that I signed up for just for message boards and stuff), I sometimes use song lyrics. Like I’ll take the line “and the rockets red blare” and shorten it by using a combination of the first letter of each word, or taking out some vowels, and replacing some letters with numbers. It helps me remember my passwords ’cause I just have to think about the lyric in my head.

  37. farker says:

    Well if the hacker knows the name of the site and they’ve figured out the “root” of your password (using a means other than a brute-force attack, probably, given the complexity of the examples), what good would this do?

  38. farker says:

    Another thought, has anyone else been frustrated by sites like Discover Card’s website? Don’t recall the max/min length, but they do not allow any special characters, only letters and numbers. Doesn’t this seem a bit outdated?

  39. Skeptic says:

    ” . . . at every different site you register at, you add the first four letters of the website’s name to the end of the phrase.”

    But you only added the first THREE letters in your example. If you can’t even get it straight in your description, do you really think we can get it right week after week and month after month? And how on earth can we remember when we’ve updated some passwords (with a new or modified passphrase) while retaining others, all on different update cycles?

    Sorry, but this is not the silver bulltet it pretends to be.

  40. Fafaflunkie Plays His World's Smallest Violin For You says:

    Here’s a better idea: lastpass! It does the business of making nasty passwords you don’t need to remember, and it stores it in a vault in the cloud so all you need is one password to remember, and lastpass takes care of the rest! Just don’t forget that one password, or else you’re totally screwed.

  41. Vulpine says:

    The drawback with this specific suggestion, while good, is that once the passphrase is discovered, all the users passwords are compromised just as easily as using a fixed password anywhere else. Rather, what you should do is put the site identifier somewhere within the phrase, rather than after it. This now multiplies the possible solutions by several orders of magnitude and makes it far more difficult to simply cut and paste the solution to other sites.

  42. Danjalier says:

    Hey that’s what I do! Except now I don’t because yet another password creating trick has been revealed on the internet.

    “Hey everyone, I figured out a good way to make a secure password that no one will ever figure out. All you do is BLAH BLAH BLAH! Everyone should do this! Then no one will ever know any of your passwords!

    Thanks and no thanks Consumerist. :p

  43. Jimmy37 says:

    As bad a typist that I am, I hate having to type totally different passwords for each site, and not be able to see what I am typing.

    Instead, I recommend people get an tool like PwdHash, which will automatically take the URL domain name, hash it with your master password and create a different password for each site. You can also carry your encrypted passwords around with you in a thumb drive, using portable programs like KeePass. and PasswordSafe. Or you can use Internet-based LastPass, which keeps everything encrypted online and sends everything down to your computer for decryption.

  44. jpp123 says:

    This is a monumentally bad idea. If the bad guy gets your password from site A it’s trivial to deduce your password for site B – you are basically no safer than if you used the same password everywhere (also a bad idea).

    Mac users can buy and install 1password which will generate random strong passwords and then remember them and which site they belong to.

    When you do have to think up passwords try this:

    Think of the address of an old friend (probably an ex) – the important thing is that it’s an address that you didn’t live at and won’t be in your credit history. Now take the numbers and the 1st letter of every word and you have a password that it stronger than most. For example John McCain might use 1600pawdc (an address he didn’t live at but can remember :). For a better password still do it using two addresses and concatenate the results. If you use this strong password to lock up a program such as 1password you’re in pretty good shape.

  45. helen says:

    Hmm.. nice advice, but I stay with randomly created passwords with no dictionary words and I keep them saved under one secured, encrypted database in Sticky Password manager. Then the only one passowrd I have to know is the master password and everything else is done automatically by the software.

  46. Ben says:

    I helped my stepmom come up with a PIN number recently. All her suggestions were birthdays, anniversary, addresses, etc. Ugh.

  47. Draygonia says:

    You guys obviously never used a military portal… must be exactly 9 characters or something… then 2 of each kind of character (special, upper and lower) and must not include certain special characters. In some of our systems, the passwords must be 12 chars long, same rules but they must be changed every 30 days and not use the same password within the last year.

    You guys got it EASY

  48. Rectilinear Propagation says:

    Can’t you just use the “Forgot Password” utility if you forget?

    I sometimes forget passwords and every once in a blue moon find that the one stored in my PasswordSafe is old. I can’t remember the last time I forgot a password for a site and it took longer than 10 minutes to get it fixed (if that).

    Granted, you don’t want to have to use it often and I’m sure there are sites for whom the password reset process is a pain in the ass. I just don’t think it’s actually that important to never forget a single password. If I remember financial and e-mail passwords I’m good. PasswordSafe helps with the rest and if I lose a password for something like Blogger it’s not that big a deal to get that fixed.

  49. Promethean Sky says:

    I use password management software (which is itself password protected) which boots off a USB drive. I’ve seen USB drives with built in fingerprint scanners for just this purpose.

  50. operator207 says:

    This would be awesome, except I know of quite a few that require the first character to be a letter, and cannot be a number. I know others that require the first character that require you to have a number first. I know of some that only support alphanumeric, and do not allow non-alphanumeric characters.

    What this boils down to is you will need a “root” or 3 that can satisfy all these restrictions, THEN you now have to remember all your roots, and the additions to the roots that make this a good idea.

    I have been doing this for years, I have 3 roots, to satisfy the requirements, with prefixes and suffixes. I also have keepass and a keychain.

  51. tundey says:

    I just reset my password every time I visit a site with weird password requirements.