It's kind of hard to take a security article seriously when it says that GMail is a low-value account. GMail is your highest-value account.
Also, without claiming that password managers are a bad idea, I can confidently say that the thing you can do that is worse than having a "tiered password scheme" is not having a "tiered password scheme". I just watched someone in the security industry go through this:
Blog SQLI -> Blog Password -> Yahoo Mail Password -> GoDaddy Password, Bank Password.
If you are like me and you have forgotten all your passwords sometime, GMail is where all the "this is your password" or "reset your password" tend to go.
An email with your password is a sign of a bad security policy. Better put a unique password for that site. Use this for remember all those passwords:
And in the event of losing GMail access I download all my GMail emails to the local client.
That said, I trust more in Google than in my own ISP or domain registrar, I have lost my personal domain with my personal email address one time due their errors in the renovation.
What I do is I have an algorithm. Based on the name of the website/service and its purpose, I can calculate what my password should be on it in my head.
This means that every account I have uses a unique password composed of both alphabetical and numerical characters.
I store each of them in my head, or re-calculate it if I forget them, but I actually tend to just remember them, maybe because they follow an algorithm (or rather, a set of rules) it makes it easier to remember them.
And, I'm not contingent on any software to remember my passwords.
Sounds like if I were targeting your accounts specifically, I'd have a pretty easy time of it. As soon as I get hold of one or two of your passwords I can work out the algorithm and then start calculating your passwords myself.
While it might be a better approach than just using the same insecure password on every site, based on the attack suggested in this article, there isn't much benefit from your approach.
Luckily nobody is targeting his account specifically. The original point, that your low-value passwords can be harvested, is I guess well-taken. But you're pushing it.
It's a bookmarklet so you can review the code behind it and use it on any computer. You only have to remember your master password and it converts to a new password for each site. Usability-wise it's usually only 1 extra click - you put your master password into the web form's password field and the bookmarklet writes the generated password for that site over it.
I still wouldn't use it for banking or my email, but for most other things it's worked well.
I use a tiered password scheme, and I don't agree with this article.
I think it's too much of a bother to be using a password manager all the time. Especially when using public computers. It's not just the effort that bothers me. I have a feeling that doing something as extravagant as using a different password for each service will somehow make it more probable for people to steal your passwords.
I've been using the internet since the mid 90s, and I remember only one time when my password was compromised. (Granted, it is possible there were more cases that I just never found out about.) It was about 3.5 years ago, and I logged on to ICQ in a sleazy internet cafe. Some kid had a keylogger installed there and he later stole my ICQ account. I changed this password in all the places I used it.
I have a tiered password system, so I'm interested in the advice here and (candidly) unlikely to follow it. That being said, if you're putting email accounts in your low-security tier, revisit that assumption. Now. It makes every password which can be reset or recovered as secure as the least secure site you have ever signed up with.
Think of how much fun life would be if you woke up one morning and someone had compromised gmail, had godaddy send a password reminder, and then used your credentials to initiate and then authorize a transfer of your business domain to their registrar. Then a month from now you get a call: $2,000 or your site goes dark within the next minute.
The article states that stored passwords are in the cache. I use Safari on Mac which stores passwords in your Keychain. It doesn't delete without your permission, backed up on Time Machine, and moves with a standard restore or system migration. His suggestion of a third-party app really just needs to be changed to better handling of stored passwords in Firefox.
And that goes without saying things like OpenID or equavalents. Ideally you just have one Very Trusted person to give a password to. (Of course OpenID has its own share of problems. )
A few years ago, Ka-Ping Yee wrote http://passpet.org/ with my assistance. Unfortunately we never got it to the point of being really released as such, although the darcs repository is available. It's a variant of the sha1(sitename + secret) approach that's been mentioned in other comments, with some extra features to improve its strength against phishing and password-guessing attacks.
Shameless plug: check out my "memengo wallet" http://www.memengo.com/?src=hackernews - it's a password organizer for iPhone with optional sync to, and editing from the cloud. Client-side AES encryption and server-side AWS S3 backups every 30 minutes.
Bottom line is that your passwords are always with you - either on your iPhone, or (in a pinch) on any nearby PC with a web borwser.
I haven't, but one nice thing about 1Passwd is that I'm pretty sure that even if you don't use .mac it put your passwords on your iPhone (if you have one) with 1Passwd Touch for use when you're away from your computer.
Overall it looks like a pretty nice app, and I like that it works across browsers and makes it so easy to retrieve your passwords.
I really don't like the reliance on .mac for syncing between computers though. I feel that .mac is totally overpriced.
The good news is that you don't have to use .mac to sync: it works just fine with Dropbox (and I don't see any reason why it wouldn't with other sync system).
To be honest, I don't use the iPhone app so much mostly because I would still have to type my primary password there and it's not convenient on the screen keyboard. Also it uses a custom browser (or a browser element inside the app) and not the regular Safari. That can be an issue for some sites. But I still have it in case I need access to one of my randomly-generated password.
So the flaw is that if one site is hacked, all the sites are hacked? And because of that, people will start sending spam from my account?
That argument does not make sense. Most sites do not send things out using my name, and those that do have very limited options for spammers. For example flickr, or Hacker News.
I use the same pseudonym for several sites, some of which have my email address in my profile. If I was using the same password for all of them, access to any would mean I was compromised.
I certainly wouldn't consider "they may know my password, but they'll never guess my email address" to be reasonable security.
Also, without claiming that password managers are a bad idea, I can confidently say that the thing you can do that is worse than having a "tiered password scheme" is not having a "tiered password scheme". I just watched someone in the security industry go through this:
Blog SQLI -> Blog Password -> Yahoo Mail Password -> GoDaddy Password, Bank Password.