I really need to change all my passwords, and I'm running into the same quandary that every other computer user deals with: Creating a totally different, nonsensical password for every site is the safest but unwieldy solution, and using 012345 everywhere is easy but useless from a security standpoint.

Right now, I use variations on a theme for the 60 or so websites that I use, and I keep those on a paper and .txt document that I can refer to as needed. (Am I sharing too much info in a public forum???)

I need to make an email address change on all these sites and thought I would come up with a more secure but more manageable password system while I'm at it.

For the first time, I'm looking into Password Management software (primarily Roboform Everywhere) and wonder what everyone else is doing?

I do something like this:

1. Take a password only known to me.
2. Use it on every site, but...
3. Hash it with the domain of the site.

For example:
Say I'm using the password, "password".
For axiomaudio.com I would take the string, "password+axiomaudio.com", and run it through a hashing algorithm.

I have the tools on my computer to do my own hashing, but you can use a site like this: http://www.sha1-online.com/

So "password+axiomaudio.com" hashed with MD5 becomes: 287398526177c51d26bfc383fb4a27f8

You can use some rule to shorten the password. Like only use the last 12 characters. To make it a little stronger, capitalize the last letter, and change the second number to it's "shifted" version.

So the final password becomes: c3*3fb4a27F8

Using those rules, you can always figure out what your password for a site should be, and it will be unique for each domain.

Thanks Chris! But then how do you remember that password for convenience when re-entering the site?

I'm interested in this topic, too. Thinking about paying for LastPass, since I often use my phone and/or iPad in addition to PC.

I'm not sure I'm quite geeky enough to use Chris' method.

Passwords have always been a weak point for me. I picked a few several years back and keep using them over and over again. Definitely need a better way. I like combining 2 or more words with different capitalization and including numbers.

what i've been doing for years is this:
i think up a phrase like: "No body will ever break that pass word but me".

then when i have to write the password, i only write the first letter of each word; this is the result:
"nbwebtpwbm".
if a site also wants at least one number in the password, then i just add the number 1 at the end.

no one can ever guess at the phrase i use, much less at the pass itself, and this combination of letters can't be found anywhere.

works good for me.

Learn to perform MD5 hashes in your head?

I just use the save password feature of the browser (and have a bookmarklet that removes the instruction from a site telling the browser to not save the password on the few sites that do that). Then I have a master password in the browser to keep prying eyes out.

Create a bookmark with the following string as the URL:



Then if you click that bookmark on a site that doesn't allow password saving it'll disable that code. You might have to click it again when visiting the site next to allow the loading of your saved password. You can get GreaseMonkey to do the same thing automatically, if it is too much of a problem.

I used this method years ago with "We All Live In A Yellow Submarine" or waliays.

If you're using the same phrase for all sites, it doesn't matter how hard it is to guess. All it takes is for one site to screw up, and a bot to be programmed with their leaked list, and all your accounts will start being hacked (well, at least your webmail accounts, because that's what spammers want).

i do use many different phrases.
thanks for the tip.

Lucky for us, the Axiom forum software automatically detects and protects passwords. If you try to type your password in a post, it will automatically turn it into asterisks.

For example, this is my password: *********







(Please do not fall for this.)

You mean that paper next to the editing machine, by the side window, near where Tedy naps in the late afternoon? THAT paper?

What has been working for me lately, is I only use Forum Members' names and SS#'s as passwords, and, so far, no problems.

Bob, you always make me laugh.

Even when you're creeping me out.

Yes. THAT paper.

I'm starting to get "Password already in use" when entering Mark's SSN, now.

Boring. I was expecting some fanch schmancy attempt by Mark at social engineering to prize our forum passwords from us.

A method I recommend to more forgetful people is to create two small random strings and then insert a word associate with the web page or service. This way they only have one cryptic part to remember and the middle they can easily remember per site.

For instance.

x78&*AmazonCom%^42
x78&*Axiom%^42
x78&*JoyMark%^42

It's not perfect but its a good start for people who would otherwise just use thier birthday, daughter's name, etc.

For a manager, I've been using the free KeePassX. I don't put any monetary based services in it and chose it mostly because it has a client for every platform I use from Android to Linux. The encrypted file is stored in Dropbox so it stays synced across devices. I don't use it for banking, any monetary services and such.

A hearty recommendation for LastPass. Makes everything SO much easier (and purportedly safer). If you go this route, you should also look at it's sister/brother bookmarks/favorites manager - xmarks. Together, $20 per year to use for PCs and mobile stuff. Only combo of password & favorites/passwords tools from a single company.

A bit of advice - standardize on one browser on all of your devices. If trying to use for Chrome AND IE, things can get wonky with errors and duplicates.

I think you will really like this setup. If not, LastPass is excellent by itself.

Password Safe is a free option that works cross OS platforms and syncs up through services like Dropbox.
http://passwordsafe.sourceforge.net/