An AP report on a survey conducted by Accenture indicate that the overwhelming majority of Internet users use a single username/password combination for the majority, if not all, of the websites they visit. The problem with this is obvious, if your password gets found out for one website by a bot or by a dodgy site administrator then someone has access to every site you are registered for.
Of course they have to know which sites you are registered for, but they can make a few educated guesses like trying the major bank sites or the more popular internet commerce sites like ebay, paypal, etc. Now I freely admit that I used to do this myself as remembering different passwords for each site is a pain in the neck. The only concession I made to the insecurity of this message was that I had a few different passwords that I would use in different situations, the password I used on my banking site was not the same one that I would use on a forum account.
I did try using a password vault application at one stage, the obvious limitation to this though was that if I wasn’t on a system that had the application then I couldn’t access my passwords. Some of the smart phones I have seen have these sort of applications on them now. The Blackberry I use has one but I have not tried it in anger yet.
Some time ago I found a great tip on creating varied and still easy to remember passwords from Steve Gibson of Gibson Reaserch. Start with one or more standard passwords, I personally have more than one and all of them are secure passwords to start with. That is they are not regular words or names and contain capitals, numbers and special characters. Each of these base phrases is assigned to a specific segment of sites you might visit. This could be split by use or even just alphabetically A-E, F-M, etc. Whatever the decision criteria you use, once you know which base you will be using you then use an algorithm to change that base phrase depending on some category of the site or site name.
This algorithm can be complex but will be better if it is one you can quickly do in your head but is not too obvious. For example, if the site name has more than 5 vowels increase all the numbers in the base phrase by 1. Or another example, the 3rd, 4th and 8th character in the address are added to specific positions of the base phrase. Both of these are very simple examples, but even at this level of simplicity someone would need to see multiple different passwords to be able to decode the algorithm, and as long as the base phrase is a fairly secure one it will be very hard to determine which characters are base phrase and which are algorithm with ease.