Coping with the Avalanche of IDs and Passwords?

Bitwick asks: "The number of web sites and other systems I need IDs and passwords for is finally becoming overwhelming. Right now, I tend to use a small selection of IDs and passwords. I know this isn't an ideal situation, but so far it has been the most practical. However, it has become clear to me that this needs to change. I am planning to get a USB keyfob and a password manager to keep track of my IDs and passwords. What experience have you had with password managers? What's good, what's bad, what features are important? Are there other reasonable and secure alternatives?"

My strategy: MD5

[stewartj]

I used to use a USB key with a list of sites, usernames and passwords on it. All protected using a secure zip drive. It became a pain in the ass to get the passwords out, so I gave up. It also concerned me as a single point of vulnerability (if someone stole it and cracked it they have access to my life).

So now instead I use this algorithm:

$password = MD5($sitename . $single_password)

So I don't have any passwords written down, just the single global password in my head along with the algorithm. There's an MD5 calculator on every UNIX system, and there's javascript ones available on the web too.

The benefits of this system:

• I don't have to remember any passwords except my one global one
• I don't have a list of passwords written down anywhere or on a USB key, so i'm not vulnerable
• It's quick and easy to generate a new password for a new site
• If someone gets a hold of one of my passwords they can't use it to guess passwords on other sites.
• My passwords are 32 character random-looking strings, so they're virtually uncrackable.

Some websites don't support 32 character passwords, for those I just use the first 10 or 20 characters of the MD5 hash.