I’m disappointed to see swordfish didn’t make the list. Young people just don’t respect the classics.
Me, I’m sticking with GJ7B!X.
Nope.
But most are some form of the “primary” password I’ve used for 20 years (with random numbers, punctuation and a mix of upper and lower case added) and, yes, I have a list of them written down dinosaur-style on paper* and updated as needed.
*Well I figure that when I die, anyone going through my personal effects will find that list and be able to use up my PayPal account, Chase Bank accounts and what-not. Since if I am dead, I won’t care.
It doesn’t have mine. I’ve been using |drowssap| for 16 years, never had a problem. 
what I would love is for more sites to allow access without a password. I don’t really need protection on my Linkedin account. Or even SDMB. If someone wants to go to the trouble to pretend they’re me and post something, I can live with that.
For sites I want to be secure, I use the same password everywhere if I can. Or a variation of it. And for my security question, I usually use something like “what color is a banana?”
Four days ago, someone on the net tried to break into my bank using my card number.
The attempt failed, prompting the bank to ask me by email whether I had tried and failed to access my accounts. So I changed everything needed for the bank site, including my password.
I used my debit card’s tap-to-pay for only the second time on Thursday or Friday, and it didn’t work, so perhaps it was scanned by a blackhat. I had to insert the card into the reader and punch in my PIN (at a supermarket). So I’m avoiding the tap-to-pay option again.
None of my passwords are repeated and neither are the hints. The browser’s password manager can’t encrypt them, so I don’t use it. And I’ve read too many horror stories about Apple’s full-disk encryption (and tried it, once) to bugger around with that.
None of my passwords is on that list. But overconfident I’m not.
There are some vulnerabilities that can be activated by embedding special characters in fields that are submitted. SQL injection if you want details.
One of the easiest countermeasures is to simply disallow the special characters that make it possible. That also usually prevents newly discovered holes from being exploited before they can be patched.
We’ve also had threads on what was the name of your first pet and street you grew up on.
I look forward to the thread “Credit card numbers are freaking weird these days…four consecutive 8s LOL! Is yours that strange?”
I work with my dad (who owns the business) that I spend a lot of time pretending to be him. In that time I’ve memorized all his security questions, email addresses, social security number, birthdate etc. A lot of this is because I take care of all the taxes and banking for our business so it’s just easier for me to say “Yes, this is [owner], my SSN is [SSN]” etc. OTH, it came in handy when he lost his phone and I reset his iTunes password (which he didn’t know, but I had no problem answering his security questions and logging into his email), logged into iTunes and located his phone on our property somewhere. After a few hours we still couldn’t find it and I checked again and noticed it was moving so I made it beep and he called me to say it was in his car.
As for passwords, most of mine follow the same basic formula, but because of different requirements or being forced to change them I gave up and put them in a password protected OpenOffice Calc (Excel) file. At work I must have 30 passwords but some of them I only use quarterly or even yearly. I just can’t remember all those.
The toughest part is keeping one straight with your spouse.
correcthorsebatterystaple has worked for years and I’m not changing it cause R. Munro told me it was OK.
In reality I use a different password for everything. They’re all ten or more characters and since a simple algorithm creates them they are easy to remember.
I had to do something similar when I got divorced, as my ex of course thought that he had everything he needed either to access my accounts or to create new ones (apparently at one point he’d opened up six Visa cards using my info).
There is no amount of money you could pay me to get me to share password info with anyone now, after all that – including the current Mr Boods.
No, I use obscure technical terms (complete phrases, in fact, where allowed by the site) in non-English languages, with number-vowel substitutions (and not that 1 for i and 3 for e crap) as passwords, and Keepass for storing them.
But I’m disappointed this wasn’t a public multiple-choice poll with the passwords as choices 
Mustang is my favorite. Now I know what car everyone bought last year.
I seem to remember one year “princess” was very popular, I never figured that one out.
I use this one for unimportant websites. I really hate when I’m setting up a throwaway account on an unimportant website and it makes me use numbers and a capital letter.
damnit.
Mine are based on things and events from the wife’s life and hers are based on my life and past. Its worked for us so far.
Mine too. My basic password is composed of a nickname, a football jersey number, and a position. I then vary that with extra numbers and punctuation.
Thing is, the personal informational items don’t all correspond, so you’d have to know me pretty well - as in be me, my parents, my brother, or a crazy stalker to really be able to guess my password. Even my wife would probably have a hard time, having met me decades after my football playing and nickname-having days.
Then you’d have to figure out the extra gobbledygook stuck on to make it meet all the various password restrictions- capital letters, minimum lengths, etc…
And for important accounts, I have randomly chosen strings of 15-20 characters.
The “Strangers on a Train” gambit.
I use a password manager now, and they are all now complex 15 or greater characters long, with letters (upper and lower), numbers and symbols. I just created a simple but difficult password (caps, lower, numbers, symbols, 16 characters) to remember to log into the password manager.
Spambots are the problem there.
I once thought I’d allow comments on my blog without requiring users to log in. It took spambots two days to find the blog and start plastering the comments with ads. Of course, when I required a login, I didn’t get any comments at all.
I had another site that allowed you to vote up or down without a login. Web spiders tried to click on both links to see where they went, so every poll was just about 50/50. (This was way back in the early days, running PERL-based CGI scripts.)
While there are some ways to prevent these kinds of problems without a password, the password solution is a pretty easy route, and it’s one that users are familiar with.
I do like sites that don’t require a new login on every use, though. The SDMB works that way for me. I only enter the password when I’m using someone else’s computer.
For anything important, I use 1Password (my master password is a long passphrase of over 30 characters, but is dead easy to remember and darn near impossible to crack with brute force). I use 1Password to generate random passwords, so often mine end up looking like: Ix0e[n#23mIPx1;mzR
I don’t need to remember any of them, and they’re incredible secure. Of course, if my 1Password vault goes kaput, I’m screwed, but it’s backed up and on multiple machines. They use pretty robust encryption for the vault too. It’s been very freeing.