Intel How Strong is Your Password page, good advice?
Yes you are right. Using a pool of passwords is definitely recommended but the passwords should not follow a pattern, but that is how we think (we are security guys). May be the writer was thinking from a common user's point of view because most common users simply don't want to take the headache of remembering multiple passwords and having a common pattern in all the passwords may encourage them to use different passwords because now the passwords are much easier to remember (and easier to guess by a smart hacker).
I personally prefer to maintain a pool of passwords.Nowadays you have to create an account with a number of random websites and you don't know how they are handling your passwords. I remember once on a job portal (read monster.com) I clicked on forgot password and then they mailed me my original password in plain text (they are still doing it!!!). Here in our community we have some great discussions on password management but there are people out there who do not care for your security.
One should never use his bank related and other important passwords any where else. You can always remember a comparatively simpler password for these random websites.
Yes, using different passwords for different sites is a good idea.
Yes, having a common theme which you use to generate your passwords is ok. With two caveats. It must not be so stupidly easy to guess as the one suggested by the Intel site. You MUST keep is a secret.
The best solution of course is to just remember one long, highly random password which will grant you access to a password safe containing randomly generated passwords for your different accounts. Various solutions like LastPass or KeePass exist and works well.
See this arstechnia article for a nice insight on how horrible that Intel site actually is.
Not the best advice ever, true, but I guess we should be grateful for any help from the big players in trying to raise public awareness regarding password security.
Your concern regarding the 3rd step is justified, though. We should expect better from names like Intel. If you'd take their advice too literally, all that is needed for all your passwords to be compromised is to use one of its such iterations on an untrusted or compromised website, and an attacker could easily anticipate all other passwords you use with other services. This is an Intel's oversight and their advice should indeed be questioned.
Another questionable choice is also the way the password check works - there is absolutely no need to type it two times and then press a button. Even if they mention it won't be sent and the password strength will be calculated on client-side, this could be further emphasised by a user interface that calculates password strength as we type, clearly showing a presence of a client-side script involved in these calculations. I find their choice rather peculiar, to be honest.