A really simple example would be:
cabbage123!face <- Facebook cabbage123!goog <- Google cabbage123!twit <- Twitter
I only have two things to remember - the root part of the password and the way to generate the last part. Obviously, just using the first four characters isn't the best idea, but you can change that part to whatever you want to - it's kind of your own secret key.
1) Some sites place rules on the password. A bank I used limited passwords to 6 characters! Can believe someone thought that was a good idea.
2) If you use this on random sites someone might pick up the format quite easily if they are targeting you. I'd suggest using layers of 'root' so random sites you sign-up use one root (e.g. HN), mid-security sites use another root (e.g FB), and high need for security sites use a third root (Financial). I do something like this to limit risk and it's not too hard to remember.
Regarding the single point of failure which I believed previously was a problem with password managers, Voxic11 explained otherwise a couple months back in a previous thread:
"LastPass and other password services don't actually store your information in any way they can read them. What they do is store the password information as a encrypted blob and the public key derived from your password. When you "log in" you actually are running the key derivation function on your password locally then signing a message with your private key and sending that to Lastpass. When they receive the signed message they check it against your public key and if it passes they send you your password information. Which you then decrypt clientside. So anyone who compromises lastpass gets nothing except a bunch of encrypted blobs and public keys. The only way to get at your lastpass information is to retrieve the unencrypted copy off your computers memory, but if a hacker can do that they can just steal your passwords as your type them in anyways."
2 is a good idea and I'll start doing that. It still keeps what you need to remember to a minimum while adding greater uniqueness to passwords.
His method, though flawed in other regards, would potentially work out better for this problem--if he could work out one password, he could probably guess at the rest.
1) Seamless sync between my devices. I want to be able to access my accounts on any laptop or mobile device. I use a BlackBerry, so good luck with that! (I can sideload the Android app, if that helps. :P)
2) Automatic encrypted backups. Sure, I can throw the database into Dropbox or something, heck I can set it up to sync back to my tarsnap account. But if you do this for me, I'll pay you.
3) Shared accounts. This is useful in two scenarios:
a) Accounts & passwords for use within teams/companies/etc.
b) Sharing accounts with my wife.
Right now, she doesn't have full access to my financial accounts. I really want to change that. Make it easy for me to do that.
4) Dead Man's Switch. IMO, the value of a centralized password manager is this last feature. Heaven forbid that I'm no longer around, I'd like my family to have access to my complete online & offline life to take care of things as needed.
I wish there was an API. I would use it for storing integration test accounts.
2. No guarantees that it won't be vulnerable at some point.
Lastly, it's too time consuming sometimes when I need to login to a critical service in a PC in a public place. I need to install LastPass (and hope I can install it), then login. if I remembered my password I could just login without LastPass. Those precious few mins are critical if I need to login to my host provider if my site goes down for example.
Trust.
Fear that the tool (or database) will become corrupted and lose all of the passwords that are stored in it.
i) I want it to sync across all my devices but
ii) I don't trust cloud providers. I especially do not trust the cryptography people use.
Also, I am poor / mean and I the price I am prepared to pay is below what people are prepared to charge.
