Isn't email the only password that 'really' matters?
Barring super-secure sites like banks, if you have the email password, you have every 'forgot my password' link available - which will typically either let you reset the password, locking the user out, or even send you the password itself!
This fact made me stop caring too much about varying individual 'random site' passwords - I just make sure to use a unique for my email.
Email passwords matter more, but it's not the only one. If you use the same password for a random forum as you do for Facebook, that could still get you in a fair amount of (social) trouble.
My method of "remembering" passwords, yet not using the same password for everything, is that I created a simple hash function which I can compute in my head.
I take the name of the website I'm visiting as the input for the hash.
Probably not the safest method of creating passwords, but it's practical in that I get a unique password per site... and I access my list of unique passwords anywhere I go.
"Additionally, the study revealed that 87 percent of email IDs, user names, and passwords gathered from various sources were still active."
That is a pretty strong case of using an OAuth account that can show you everything that is authorized. I have no idea how many old "jaxn" accounts from the Web2.0 phase are active and forgotten.
I would imagine that 75% figure is pretty close to the percentage of people who use the same password for pretty much everything. I would also imagine that at least 75% of HNers are in the other 25%.
I don't use the same password for every website, but I do use slight permutations. (For example, adding extra numbers or letters onto the end of a longer random letter and number root password that I have memorized.)
Of course this is probably not the best technique, but its probably secure enough. In addition, I do use alternate passwords for sites that I don't trust. So, for example, I would never use a permutation of my email password for a random site on the internet.
I take a slightly different approach. I use the permutation method for most websites, but then I have long, random, and unique password for the key stuff like banking, primary email, and servers.
I have pretty much 3 (pretty different) versions of the same password (light, medium, heavy xD), one side-password for certain things, and 1 unique for banking thats only in my head. Worked for me in the last 5 years...
I use block permutations where my main password is rearranged by adding and removing similar blocks of characters and numbers.
not too efficient method I must say. I feel a website name specific hash function is the way to go and I use it for one password already.
KeePassX + Dropbox = no more need to remember passwords.
Although KeePass is annoyingly fussy about concurrent access to the database. I should investigate if there are other options that also will work across Linux, Mac, iOS, Android, and Windows.
1Password just announced a Windows version to complement their existing, amazing Mac program. They also have iPhone/iPad versions. Doesn't help you with Linux though.
I use the same method across (most of) my platforms.
Linux - KeePassX
Win 7 - KeePass
iOS - MyKeePass {manually updated from database in Dropbox)
Blackberry - KeePass for Blackberry (manual update of database)
I've luckily not had issues with concurrent database access.
I use a system of increasingly difficult and unique passwords.
Level 1: Social networks, forums, etc. simple 8 character alphanumeric.
Level 2: iTunes, ebay, amazon. Longer alphanumeric with variations unique to each site.
Level 3: Paypal, email, banking. Longer alphanumeric + special characters and completely unique for each site.
Others: Some sites, like my ISP and bank send the password only by snail mail (I had to change my password once for DSL. It was not pretty). This goes into a lockbox.
I use http://supergenpass.com/ which generates a password by hashing a single password with the website's domain name (and since it's all in Javascript you can host the code from your own domain)
Just throwing the solutions I've found onto the suggestion heap... I prefer to keep all my passwords in an encrypted flat text file, for one thing because I keep more than web site passwords in there, so web-specific password managers don't meet all my needs.
If you're an Emacs user, as of version 23 or so GNU Emacs can transparently read and write GnuPG-encrypted .txt.gpg (or .org.gpg, or...) files. Not that there aren't plenty other ways to save encrypted text, but it's nice to have something that's integrated into the program you spend half your time in anyway...
If you use Windows but not Emacs, Steganos LockNote is a free, minimalist program offering symmetric AES encryption — it's a standalone .exe containing both the program and your data, so you just double-click on the .exe "document" to open your encrypted file in a Notepad-like interface. I doubt it has been vetted to the extent that GnuPG has, but it's surely enough to keep your average laptop thief from getting all your passwords.
I use a unique generated password for every instance. Then I store these passwords in yaml files on an encrypted partition on my harddrive that is unlocked by a keyfile on a usb stick. I wrote a little script that searches these yaml files and automatically copies the password found for a given key (usually a site nickname, like "hn") to the clipboard, so I can just paste it in. This is both convenient and allows me to use a unique, strong password for every site and service I use.
A few months ago I started using KeePass for storing everything, and it's worked out really well for me (I wrote a post about it, plus some tips n' tricks, here: http://www.loopycode.com/solving-sign-up-anxiety/.)
A nice side-benefit of KeePass is that it enables you to use randomly-generated answers to mandatory "security" questions.
I can put a 32-character alphanumeric string as my answer to "what is your mother's maiden name?" or "what city were you born in?" and store the answers in the KeePass entry.
The only downside is that since I also create a unique email address for everything, it can become a bit tedious to sign up for a new service and generate the email address and password.
The problem with that approach is that once someone figures out 1 of your passwords "PclarkUnsecureWebsite123$%^", it becomes easy for them to guess "PclarkGmail123$%^".
Yes, but that is if someone is looking at it. It is not easy for them to script if they stole a database of accounts and passwords.
I am under the impression direct, targeted attacks are pretty rare, and that most of the purpose of a password is to prevent wide-spread automated attacks.
There are ample examples on the Internet on how hackers manage to exploit one vulnerability, obtain a password, and then cause all sorts of damage since people tend to use the same password almost everywhere.
Getting someone's information and exploiting it has become so easy with social networking, it is frightening. This article http://l.niden.net/identitytheft demonstrates how someone can use your social circle to steal your identity. It is definitely not a far fetched story - it is reality and most people seem to ignore it.
Let us not forget the debacle of Rock You (http://l.niden.net/rockyou-cleartextpasswords) where they were storing passwords in clear text. Once the hacker got in, he had everyone's password for that service and for many others I'm sure.
I would be very interested to see what is the percentage of Facebook users that use passwords like: 'password', '123456', 'letmein' etc. I know my brother in law was one of them....
I wonder if any people from that 75% have heard of services like LastPass? (http://lastpass.com).
Barring super-secure sites like banks, if you have the email password, you have every 'forgot my password' link available - which will typically either let you reset the password, locking the user out, or even send you the password itself!
This fact made me stop caring too much about varying individual 'random site' passwords - I just make sure to use a unique for my email.