There are some critical security threats: People should be able to understand/know which sites they should register this way.. If user registers her/himself to one or more malicious site(s) which/thar is/are set up to collect usernames and passwords, the owner of the malicious site (or a bot) may try to crack passwords againts other sites by finding and removing added characters of step 2 and adding new characters:

If malicious site is for example http://www.malicious.xxx, and user has registered with a password ‘mihwtmptr’, it is pretty obvious that the added character is ‘m’. If the user has registered also to http://www.safe.xxx, ofcourse at the first time the password collector tries ’sihwtmptr’ as password

There is always also a change that usernames and passwords of sites or services get lost (usually in md5) and are published, as we have seen too many times… And, as we have also seen, people use same too short passwords and usernames in different pages, and because of this real passwords have been calculated “from md5″.

If usernames and passwords get lost and are published, this method gives more security, because md5 sums of passwords are not similar. But if plain text passwords are stolen (by malicious sites or somehow) and characters of step 2 have been taken directly for example from page’s url or service’s name, this method does not help much. It of course makes cracker life harder, because the same password does not fit everywhere. But it is possible that passwords of two or more different pages are stolen and/or published in plain text, and then guessing the method of step 2 may be pretty easy.

So, some ideas: People should use also different usernames (which is not an option, because people want to use same usernames everywhere:) Using different usernames also not completely remove the problem. If parts of passwords remain same but usernames differ, and these have been got lost and maybe published, crackers may just find passwords with same stubs (in this case ‘ihwtmptr’), collect different usernames and test them all against other pages.

Also do not take letters directly from the name of the pages, f is not good for facebook, use instead letters next to the f, for example d or g or something else that does not directly tell the cracker the method of step 2.

For “not so crusial sites” this is a very good method to remember passwords, but people should not use this method in every page!

Do not use this ‘ihwtmptr’ anywhere, invent your own and use also numbers and capitals.

I just need to point out, that the forumla should not be too easy to figure out with just looking at a few known passwords. So adding more variables that are not so easy to spot helps.

What I hate is when sites have bogus requirements for your passwords (like case, or numbers, or special characters). It’s impossible to make a single phrase that works for any account. I like having a secure password, but some sites don’t allow special characters, and some require them.

@Will
Then the only thing that changes is the number sequence at the end, and you’re forced to remember numbers rather than an actual password.

That said, you should simply demand OpenID: http://demand.openid.net/

PS: I’ve been thinking about a site like this (ideas, solutions) for years, congrats for making it your reality!