Anonymous wrote:I use a single base password with an element that changes depending on the specific website.

I use a new base password each year and a new changing part each year.

I also use a spreadsheet to track any deviations to that. I keep it on a cloud service, but don't think it would be meaningful to anyone if they opened it. It also let's me have any key differences, since some sites are very specific in their requirements.

Security professionals and other smart people: how smart or dumb is my system?

Anonymous wrote:

Anonymous wrote:I use a single base password with an element that changes depending on the specific website.

I use a new base password each year and a new changing part each year.

I also use a spreadsheet to track any deviations to that. I keep it on a cloud service, but don't think it would be meaningful to anyone if they opened it. It also let's me have any key differences, since some sites are very specific in their requirements.

Security professionals and other smart people: how smart or dumb is my system?

If someone is targeting you, which is unlikely, security is really hard and at some point the hacker will switch to hitting you with a $5 wrench until you tell them the password:



Even if you are not being targeted, it is still pretty easy for a hacker to get a copy of your username and password through phishing, building fake websites that require you to generate a username and password, or hacking less secure systems. Opportunistic hackers really pray on people who reuse the same password everywhere. Even simple variations can be enough to keep them out. Something like a short easy password that you have been using for 20 years, then the year (which you change every year), then the name of the website, and then any special characters that are required (which you might keep in a spreadsheet to help you remember), may be enough to keep an opportunistic hacker out, but I would not count on it. If the part that depends on the website is more complex then the name of the site, then you probably can keep them out, but then remembering all your passwords becomes a lot harder.

The real problem with your system, however, is that keeping the spreadsheet on the cloud is less secure than using a password manager and gives you very few of the benefits. If you switch to a password manager you can use long random passwords and then only have to worry about someone taking a $5 wrench to one of their employees.

Anonymous wrote:I keep mine in hard copy in a binder - its been a life saver. Sure - its bad if someone finds it, but I keep it at my desk at home.