At the same time though, it’s one more thing to lose, or forget. If you don’t remember your password and rely on the card, and then lose the card, or have a changed one, or forget the placement then you’re back to requesting your password frequently.

I find, at least for me, that if you make a memorable sequence of passwords, with a memorable cypher you’re good to go for the forseeable future and get lots of passwords out of it for various things that are easier for the mind to remember because they’re contextual. Ever since I put a similar system in place for myself I haven’t forgotten a single password, though sometimes I’ll put in the wrong one at first.

http://passwordcard.org/

It generates a unique password card with which you can pick extremely secure passwords. You can regenerate the card if you need to, and even if a thief gets the physical card they won’t get anything useful from it.

Changing the cypher. I sort of evolve mine on a regular basis. Add a letter, change a letter, etc. I think it’s more important to change the overall passwords rather than the cypher. If you pick something non-personal in a sequence (like if you don’t like baseball but use baseball team names) then it’s not a security risk for being personal subject matter like say your children’s names.

Of course yes, if someone guesses your sequence, and then guesses your full cypher you could be in trouble, but the chances of that happening are getting into pretty low odd territory, particularly if no specific password contains the full cypher.

I think changing the cypher as frequently as possible would be the optimal security, but I think that would make most people’s heads explodez. I’d rather they just use one cypher and have a decent password rather than their dog’s name.

Security questions and answers I do something different. If they ask you the set questions, which I hate….bad bad bad security… I have set fake answers. No I’m not going to give you my mother’s maiden name. No I’m not going to tell you where I was born. However when it lets YOU ask the question and set the answer then I put in a contradictory question, and answer it in cypher.

Such as “What does the sun provide?” Answer = “D&rk|\|#ss”

I would add a few things:

1. Like many things, practice makes perfect. Practice typing your password on the device(s) you use most (laptops, phones, etc), until you are comfortable with it. The practice will also increase your muscle memory. Once you are comfortable, only then change your passwords—if you haven’t practiced, it will only make it harder the first few times you have to actually use it!

2. Change your cypher on a regular schedule. I do mine yearly—what do you suggest?

3. Apply the same logic when sites ask you for a security question and answer, although that could be overkill for some people!