I just checked and I have over 100 UserIDs and passwords. The vast majority of them are for sites that don’t have any of my personal information but require registration before viewing or commenting. I don’t really care if someone hacks into those sites with my UserID. For those sites I use a weak password protection scheme. I use the same UserID and a password that has a codeword, numbers, and something specific to the site that I can remember. I’ll let my browser remember the UserID and password, but sometimes I’ll have to type it in. So, lets assume that my UserID is WellGolly and I want to register with the New York TImes. The first part of my password will be NYT followed by a code word. Here’s where you get creative. Make up a pseudo-word like delk or kifr. It helps if it is easy to type i.e. the keys are next to each other on the keyboard like these. (But not qwerty or asdf.) Then add a number to the end. Pick something like the first four digits of your locker combination in high school, your street address when growing up, or the year you graduated from high school. Then add a special character like ! or #. That should satisfy most password checkers and no one is going to guess the password. So my hypothetical New York Times password would be, NYTkifr3212!. My Washington Post password would be WPkifr3212!. A lot of places use your member ID as your UserID. There’s no way I’m able to remember all these, so I’ll let the browser remember them for me. For all of the sites in this category, I’ll let the browser or operating system remember my UserID and password.
The second kind of password is one where they have my credit card information. For these I never use a UserID that is visible on the web. They frequently use email addresses as UserIDs so it’s hard to get a secure UserID to use on these sites. For these sites, when I want to receive their spam I create an email account with their name as my email address. e.g. Sears@WellGolly.com or Amazon@WellGolly.com. I can filter their email and look at it from time to time. For sites where I don’t want to receive spam, I use NoSpam@WellGolly.com. This goes directly into the trash and I only look at it if I need to reset my password or go through a confirmation link to activate my UserID on the site. If you don’t have your own domain to play with, set up a free account at Google or Yahoo and use it only for registrations. The other benefit of this strategy is that if one of these sites is cracked, the crackers can’t use the email and password information from the cracked site on a different site.
I use the same strategy as above, just a different code word and number than the one for the throwaway sites. I let very few websites keep my credit card information—usually only places where I make frequent purchases. And by frequent, I really mean frequent—like weekly.
The third kind of password is for banks and credit card companies. Here I use a different code word for each account. That way, even if someone knows my strategy for choosing passwords, and my throwaway code word, there is no way they can guess the password. I’ll also use a number that is secure but that I’ll remember—like the number for the garage door opener or the security code for the alarm at the office. The codeword is something that is associated with the bank, like My password at Bank Of America might be, BOAcindr1875!#. I use these often enough that the codeword is easy to remember.
Banks are starting to use additional questions to verify your identity. Unfortunately, the questions they pick aren’t things I can remember. They used to ask things like mother’s maiden name and city where you were born. I know the answer to those kinds of questions. They’ve moved to questions that can’t be googled. One account wanted to know my favorite candy, color, and band. I won’t be able to remember what I told them so I’ll have to write the information down somewhere. On a Mac, you can use Keychain Access to create a secure note where you can write that stuff down. It’s a very bad idea to keep that information in a regular text file. If you don’t have a way to save it securely, then write it down on a piece of paper and store it somewhere secure.
Keychain Access (and other password managers) will let you test how easy it is for random crackers to crack your passwords. All of the passwords that are generated with these methods receive Excellent scores. You can get better scores by increasing the length of the password, and that might be something to consider.
For banks and credit cards, never ever let the browser or operating system save your id and password. If someone has access to your computer, then they have access to your accounts.
Update 2011-01-09: This article calculates the time required to hack a few common types of passwords. Dictionary words and random letters don’t take very long. A three word phrase takes basically forever. Add a few numbers and only the NSA is getting in.
Update 2011-07-18: The only secure password is the one you can’t remember. is an interesting read if you’d like to know more.