if you're a security dork, check out quepasa, a system that allows you to essentially remember one passphrase and apply it to all websites, without actually using the same password on every system.
Here's an example: you need a password for Amazon.com, and you've previously selected the passphrase I am too sexy for my shirt. Simply type:In this case the password isquepasa amazon "I am too sexy for my shirt"WQ45f(A..Notice how it's a mixture of letters, numbers and other characters. Now you need a password for Yahoo! as well. Do the same command:In this case the password isquepasa yahoo "I am too sexy for my shirt"%kHcyMQ..
a good extension off the process i use currently, using a sort of algorithm to change passwords between sites, while keeping them predictable by me. this way when i come back to some random support forum, i can remember my password quickly, without trusting them with my "real" password.
why bother? why not use one password for every site? its simply a matter of trust. lets say you have the same password for your online trading company, your online bank, and your webmail. do you trust all of those sites? they're probably big-name companies with plenty of insurance and internal audits of security processes, backups, internal database encryption, firewalled everything, etc. you can probably trust those companies to not divulge your password along with 10,000 other clients in a security breach. maybe.
now what about generic_computer_help_forum.com? do you really trust some guy to secure his database? even ignoring attacks and password leaks, what makes you think this guys isn't hosting this site purely to harvest passwords. instead of encrypting your password and storing it in his database, he keeps it in the clear and sells them off to shady folk.
so, to avoid the potentially bad situation of disclosing a valuable, sensitive password (e.g. banking password) to any old potentially-shady website, mixing up your passwords is recommended. but remembering hundreds of passwords is not going to happen, so an algorithm is developed. for example, you can develop a good password and mix in the initials of the website you are visiting. for example a wellsfargo password might be Wl4kers4evaF but your eBay password might be el4kers4evaB.
the only problem with this is the correlation of a stolen password developed in this way and the site it came from, revealing its structure. for example if bobs honda_forum.com password was Hl4kers4evaF, and honda_forum.com nefariously sold its password database to some evildoers, they might take the time (not very likely) to notice the HF in bob's password and might try using WF for his wellsfargo account, thus breaking the scheme.
seem unlikely? well what about if the passwords are correlated with names? then you get 10 shady sites that sell their passwords this way and a black-hat can build a dossier on a user, noting all of his passwords for each site visited:
honda-forum.com -once this dossier is built for a hacker's target, the scheme is obvious. attempting to log in to other sites becomes a trivial task and the target's identity is taken over.Hl4kers4evaF
beastieboyfanclub.com -BBl4kers4evaFC
corporate-stuff.com -Cl4kers4evaS
potbellypigfarms.com -PBl4kers4evaPF
quepasa is a better way of doing this. instead of using naive and simplistic methods like appending site names, acronyms, or numbers to common passwords, it uses cryptographic techniques to produce irreversible (but still repeatable) passwords. the above dossier becomes something useless to an attacker:
honda-forum.com -WQ45f(A..
beastieboyfanclub.com -#krRxl$%)
corporate-stuff.com -afG%J-4
potbellypigfarms.com -bcg5$S-R