You have exactly three passwords, don't you?

Yes. This is why I use a password hash function. The exact Hash function is in my head (and only my head), although it requires a lookup table for random bits. The lookup table is typically a poem, (when I was younger, I would use digits of pi, but I consider that insecure now), but can really be any sequence of words about 50+ that I can reproduce pretty much instantaneously.<p>The exact hash algorithm is my secret, but the input to the hash is the url of the website that I log into. So, we have<p><pre><code> f (the hash function, which is secret). url poem (think of this as the "secret key"). </code></pre> so at each password login I compute f(url, poem), to get my unique password.<p>This is secure against prefix attacks and other guessing attacks, although not cryptographically so (unfortunately, I am unable to memorize a 128 bit pseudorandom string and the algorithm to SHA2, so this will have to do.)<p>But I'm still paranoid, so my google account uses a completely different password that has nothing to do with any of the above, because access to my google account is protected by 2-step verification and my android phone, and it is a very weak link. If you compromise my GMail account, you can pretty much use "I forgot my password" on every other account of mine. (While 1 of my banks requires email AND phone, since my google account relies on 2-step there is an unfortunate correlation in the failures there. So GMail really is account-vulnerability-complete for me.)

Is there any reason for the often-repeated advise to change pws regularly? If I have a unique password like vdknzB4XoAiJIpjlN3PGf for every account, what would changing it protect me against? Hardly keyloggers, because then changing it twice a year is probably too late.

I thought the second part of his conclusion was a bit hasty:<p>"... and change all your logins every six months at least."<p>Does he have <i>any</i> idea how impractical this is? If I could even remember every login I ever made, it would probably take more than 12 hours to do the manual labor of changing the password for them. No thank you!

I use one password per account.<p>I have a common shared suffix like "HuRf!z0" and then I prepend a prefix depending on the website, like "gm" for HN.<p>So far, this has been quite simple to use, even when I am not in front of my machine.

The problem with password managers is, when you're away from whatever machine you managed to get the thing set up on, you're locked out of all your accounts.

The bank managing my 401k requires a password between 6 and 8 alphanumeric characters. Non-letter, non-digit characters are not allowed.

I have a unique, random password for nearly every account I have (with a few throwaway exceptions). I store them all in a file, encrypted with a master password, and sync that file to all my machines using Dropbox. I open and modify the file with Password Gorilla on Mac and Linux and PasswordSafe on Windows.<p>Both programs read/write the same file format and allow you to create any internal hierarchy you want (eg Stores &#62; Electronics &#62; NewEgg, or News &#62; HackerNews). Password Gorilla's UI is pretty bad, but workable. Both let me copy and paste a password without displaying it on screen.<p>Works great. I got the idea from Joel Spolsky: <a href="http://www.joelonsoftware.com/items/2008/09/11b.html" rel="nofollow">http://www.joelonsoftware.com/items/2008/09/11b.html</a>

Some systems don't require a complex password. I don't care if someone breaks into the game center thing on the iphone because my password is prettypony2 - what are they going to do, erase my high scores on Tetris? I'm sure as hell not copying and pasting a 16 character password between the LastPass app every time.

Nah, I have 4. My email account has a unique med-level password, because if that ever gets compromised, by proxy so is everything else.

I'm the person who wrote the comment on Troy's blog about the common 3 password approach, which I suppose inspired the title. What PC Magazine did not write was that I describe how hackers easily exploit it, here:<p><a href="http://www.filterjoe.com/2010/05/14/the-usual-way-to-manage-passwords/" rel="nofollow">http://www.filterjoe.com/2010/05/14/the-usual-way-to-manage-...</a><p>It's part of a password series with the following central advice for typical home users:<p>"Use a password manager to assign unique, random 15 character passwords for all accounts, protecting them with a strong master password."<p>This guide gets them started:<p><a href="http://www.filterjoe.com/2011/04/14/passwords-guide-without-distraction/" rel="nofollow">http://www.filterjoe.com/2011/04/14/passwords-guide-without-...</a><p>While I'm sure the typical Hacker News community member practices far-above-average password security, the vast majority of people don't see any reason why they should - or if they do, they get overwhelmed by too many complicated rules. From feedback I get, the above referenced guide works for the "average Joe."

My preferred solution: <a href="http://blog.jgc.org/2010/12/write-your-passwords-down.html" rel="nofollow">http://blog.jgc.org/2010/12/write-your-passwords-down.html</a><p>For those who don't want to write code, I shared an implementation of that here: <a href="http://www.loup-vaillant.fr/projects/password-generator" rel="nofollow">http://www.loup-vaillant.fr/projects/password-generator</a> (please tell me if I made any error)

I ran a cracking forum for a few months and found similar stats. Even in a community whose members should know better. I modded the vBulletin software to store passwords in plaintext. Roughly fifty percent of members registered with an e-mail address that was also registered with Paypal. Of those who had, roughly 75% of them had matching passwords for both the forum and Paypal.

I have perhaps 6 passwords:<p>1) My email password, which is randomly generated but memorized, and reused nowhere.<p>2,3,4) A handful of passwords, call them grade A, B and C, which are used in conjunction with SuperGenPass to generate passwords specific to a website. Only the top level domain is used; for rare cases where the URL changes but the password doesn't (like amazon.co.uk vs amazon.com) I have chosen one TLD as the canonical one. The ratios of usage of A, B and C are approximately 1:2:50. No website I log in to ever shares its literal password with any other.<p>5) Computer account login password, this is changed every 3 months.<p>6) Encryption keys passphrase. Should I have anything that I want to keep private and not leak anywhere, or signing keys etc., I use a combination of letters, numbers and symbols, over 40 characters long.<p>Bank passwords (actually more usually numbers) and the like I have written down, unlabelled, in secure locations and memorized from frequent use.

I wrote up an interesting comparison of Password Managers on this very thing: <a href="http://blog.danielfischer.com/2011/05/12/its-time-to-start-using-a-password-manager/" rel="nofollow">http://blog.danielfischer.com/2011/05/12/its-time-to-start-u...</a>

So many sites require passwords that shouldn't. I feel jerked around - Jump thru this hoop! Make up a better password! Bark like a dog!<p>I say, screw you. I use a lame password for all that, and a lame username too. It makes me feel better.<p>For real security, I can use a better password. But somebody explain how constraining passwords improves security? IF the hacker Knows it contains special characters or whatever, doesn't that Simplify the password space? Sure, simple combinatorics says there are more passwords if you use a larger alphabet. But you simultaneously Remove the space of all possible passwords that didn't happen to have 'special' characters.

I'm a bit different. I have approximately 10 important passwords that are only in my dead and are between 20-40 characters long. They are completely nonsense phrases with numbers. I noticed that if I make them nonsense I tend to memorize them better. For the rest of non-important stuff I use a password manager.<p>Funny note* Once I decided to change my passwords for 2 encrypted drives and a couple of days later I forgot them, so I lost all the information. I recovered some of it cause I also stored it on some non-encrypted drives but still, I learned my lesson. The brain has its shortcoming too. :)

I started using pwgen for passwords. These are long passwords containing symbols, letters, and numbers and nothing resembling a word.<p>What I find interesting is that I don't know what any of the passwords actually are. Instead, I simply have the muscle memory to type them. This is a problem if I have to remember that same password for the website's new app on my phone. In that case, I have to sit next to an actual keyboard to recall the password and type it into my phone.

Good grief, no. I have dozens of passwords. The 10 or so that I use regularly are committed to memory, the rest may require me to consult a legal pad or KeepassX, the latter being protected by an extremely long and complex password unique to it. I do of course reuse some of the passwords, given that there are only a couple dozen of them and probably 100 or more accounts which use one of them.

I use password composer <a href="http://jlpoutre.home.xs4all.nl/BoT/Javascript/PasswordComposer/" rel="nofollow">http://jlpoutre.home.xs4all.nl/BoT/Javascript/PasswordCompos...</a> which hashes your password with website url. There is a convenient greasemonkey script that works on firefox and chrome.

I don't want to store my passwords anywhere, so I write a password maker for myself, Every time I need a new password or forgot an old password, run the tool input master key and some other hints then I get what I want.

4-6 base passwords, combined with a sequence of standard variations.<p>Would be nice to have pubkey authentication with the pubkey stored on a distributed system online which I could revoke/regenerate at will.

I have 165 personal passwords, and around 50 related to corporate stuff. Stored in KeePass in a TrueCrypt container on Dropbox, that way I'm able to access all of them across my linux/win/osx machines.

Federated login is becoming more prevalent all the time. Open ID started the trend and yesterday's Apple-Twitter integration is the latest example.<p>We'll need less passwords in the future.

I use 3 passwords: One for my email, one for my computer's login, and one for my password managers master password.

Hm. I have 8. 13 if you count the ones I haven't memorized yet. :P

They had me nailed! Sort of embarassing.

No. I have exactly 146 passwords.

I used to keep a list of individual passwords in a GPG-encrypted container. Then I would copy-pasta them around, as needed. I realized this is just a huge security hole, particularly since I use ClipX (multi-clipboard tool, shows a clipboard history on Ctrl+Shift+V). Also, GPG would mysteriously eat the file on one machine every now and then.<p>Now I mostly use pwdhash.com and three or so tiers of passwords. Works well. I still have the GPG file, but I use it mostly for keeping track of my gibberish answers to dumb security questions ("who was your senior prom date/where did you meet your wife").