May 19, 2008
29 Comments

Password Algorithms: Create and Remember Unique Passwords for Every Account

Like most people, I have hundreds of accounts for various websites, software, and services.  Unlike most, I have a unique, strong password for each site – and can remember every single one.  In essence, I take the name of the site, run it through a standard mental algorithm that also does a little encryption, and use that as the password.

This means I never have to use a password manager, have many unique passwords, and can even “guess” my password for accounts that I haven’t logged into in years.  There are many security benefits to having unique, strong passwords for all your accounts.

Here’s how to do it:

1. Take the “title” or “name” of the website, company, or service – whichever jumps out at you first.

Example: We’re going to use Yahoo, located at www.yahoo.com.  The name and URL of this website are pretty obvious – so the word “yahoo” is what we’ll start with.

2. Choose a length.

Many sites will enforce a 6 or 8 character minimum, so I’d recommend something at or above 8 characters.

Example: Let’s choose 10 characters for our Yahoo password.  At this point, we have 10 blanks to fill in: __________

3. Begin the algorithm.

What you want, ultimately, is to use some of the characters from the site name, transformed enough to be difficult to decipher, mixed in with various other characters to form a strong, random, and yet recreatable password.

Example: We’ll start by using the last letter of the name to fill in the first blank, and the first letter of the name to fill in the second blank.  In the case of yahoo, we now have oy________.  In my opinion this is still too easy to crack, so let’s take the third letter of the name, increment it by one letter, and use it for the last letter of our password.  For yahoo, the third letter is ‘h’, which becomes ‘i’ when we go up one alphabetically.  Now, we have oy_______i

4. Fill in the blanks, using alphanumeric, capital, and non-alphanumeric characters.

Capitals, numbers, and non-alphanumerics greatly increase the strength of your password by using a larger set of choices.  Keep in mind that these characters will be the same in every password you have.

Example: I’ll use the last four digits of an old phone number but hold down the shift key to produce some tough characters.  The number is 4321, so holding shift while typing these produces “$#@!”.  Now our password is oy$#@!___i

I’ll add a caps and number that I’ll remember – 2EZ.  Our finished password is: oy$#@!2EZi

5. Repeat, repeat, repeat!

Keep using this technique for all your passwords, using the same algorithm each time.

Example:  Our algorithm might sound complicated, but is memorized quickly.  Last letter of the product, first letter of the product, $#@!2EZ, third letter of the product incremented up one.  It becomes clockwork.

6. Remember…

Be creative in your algorithm, keep the fact that you even use one a secret, and make sure the “variable” letters are tough to determine.  If I host a random site called www.blah.com and I see your password in my database is “halb1234″, your algorithm will not be that tough to figure out!

Once you have put this technique to full use, upon arriving at a site, your account password is simple to recreate by using the same algorithm.

  • Martin

    I use a similar approach myself, but using l33t instead of the “shift key” trick. It works great but over time I noticed a drawback to this method: many sites (and particularly banks and credit card accounts, which you’d think should know better!) will not accept symbols – or even worse, will enforce a particular arbitrary password length. When this happens, you have a problem as the algorithm suddenly doesn’t work for that particular site. So you create another “simpler” algorithm that uses only letters and numbers… and from then on, you’re confused about which algorithm you used for which case!

    This should not be viewed as a criticism of the method but rather a finger-pointing at all these stupid “secure” banks that want to keep their logins dummyproof by not accepting symbols.
    My “favorite” is one large corporation that will stubbornly require a login password of exactly 7 digits and including exactly 2 letters… now how do I bend my patiently thought-out algorithm to this requirement?! Idiots.

  • Loren

    I run in to the exact same problem.. actually I have a “simple” algorithm for the dumbed down ones and a “secure” one for for the better sites.

    Working in web security, it’s starting to become apparent that ultra strong passwords may not even be necessary in the future. Brute force attempts to guess passwords aren’t really the method that hackers are using any more. Keyloggers, spoofing the DNS, and phishing will get your password no matter how unique or secure it is.

  • Billy Doyle

    Thanks! This is much appreciated. I’m using the Password Hasher extension for Firefox, but I’ve been using Chrome lately. It doesn’t support the extension, so I have to go to the website for password hasher to get my password back every time.

    This will hopefully solve the problem!
    Billy

  • http://rotaluclac.eu/ Rotaluclac

    The shift-numerals trick will fail once you travel to a different country. For example, on a German keyboard, Shift-8 produces ( instead of *.

    Rotaluclac

  • http://acleandesign.com Loren

    @Rotaluclac
    That’s a good point. Shift + numbers must be a domestic algorithm only (unless you memorize the characters it really outputs).

  • Pingback: Kuehleborn’s world

  • http://www.longtails.nl Timo

    @Rotuclac and Loren

    You don’t have to memorize.
    Being abroad you can look for your local keyboard lay-out online.
    For example. You find a lot of them at wikipedia.
    http://en.wikipedia.org/wiki/Keyboard_layout

  • Jury

    Good idea, but how do you deal with the fact that you need to change some passwords, say every 3 months and you are not alowed to use the same words? I hope you have another trick up your sleeve ;-)
    Grtz, JB.

  • bart

    @Timo, Rotuclac and Loren

    even better; configure the pc abroad to use your local keyboard settings and type blind.

    got the same problem with my bank as mentioned by Martin. The worst thing: I only use it once or twice a year so I have to request a password by mail each time or write it down… now that’s security!

  • http://acleandesign.com Loren

    @Jury
    All you need is a few algorithms and a good memory. I’ve been using this for years, so it gets easier. There are certainly times where I have to hit “Forgot Password”, but overall it works well (and it doesn’t require any external system).

  • Pingback: Change your passwords often — QuitStalkingMe.com

  • Sorenson

    In reply to Jury (#7) and Loren (#9): The company I work at compells us to change the password every 60 days, and prevents us from reusing any previous passwords. It is also recommended that passwords of banks etc be changed periodically, for added security. So unless the passwords of your *every* internet account is changed around the same time, you’ll end up with many algorithms … That’s as bad as having to remember many passwords. The algorithmic approach is good only if there are a few passwords, but fails if many passwords have to be maintained.

  • Pingback: Beef: Usernames are a Terrible Login Requirement | A Clean Design

  • Pingback: Passwords « Kuehleborn’s World

  • Pingback: Een wachtwoord is geen wachtwoord | Mindbus

  • Pingback: How do you manage your passwords? » webmztriss

  • Pingback: reason for frustration

  • Gerwin

    dont have an algoritmic myself…

    but an intresting one could be:

    first 6 characters of the web addres (aclean)and than typ it this way: svkrsb. Now its your turn to guess how i got it :)

  • Gerwin

    Sorenson on Mar 1st, 2009 said:
    just remember an algoritm and make a last optional character called 1. Fill this character only where passwords need to change. Make the 1 for the next period a 2 and the next period a 3… and so on.

    (instead of 1, 2, 3.. you can make it a b c, !@# QWE or whatever you want)

  • IJsbrand

    There are problems if a password have restrictions (I met this several times). Several sites don’t allow some special characters.

  • http://www.neotenyservicedesign.com.au/ Neoteny

    I agree about that! I met that situation many times and it takes too many times to make my password back every time I made it! How ever this site gives me more info about that kind of problem,and it calls my attention to visit it again for more new types of info.

  • http://seangates.com Sean Gates

    Here is a quick set of PHP code to do your algorithm above. Enjoy!
    1) { // if you go beyond z or Z reset to a or A
    $next_char = $next_char[0];
    }
    $new_password = substr($website, -1, 1).substr($website, 0, 1).’$#@!’.$next_char;
    echo $new_password;
    ?>

  • http://seangates.com Sean Gates

    Oops, your filter broke it. Here it is again with entities:

    $website = $_GET['website'];
    $website = explode('.',$website);
    $website = $website[0];
    $next_char = substr($website, 2, 1);
    $next_char = $next_char;
    if (strlen($next_char) > 1) { // if you go beyond z or Z reset to a or A
        $next_char = $next_char[0];
    }
    $new_password = substr($website, -1, 1).substr($website, 0, 1).'$#@!'.$next_char;
    echo $new_password;

  • joe

    @gerwin

    nice try – all keys typed with the left hand move one key over to the right, all keys typed with the right hand move one key left

    thus qwert becomes werty and poiu becomes oiuy

    Don’t really think this is the way though – it’s pretty obvious (if you use dictionary words) and would probably lead to you thinking you are secure.

    My personal way is to use a song or book I like (and that the site reminds me of in some way) and use that and some figures. This way, (like a mnemonic) I remember the site’s password by association to a song. Then I use the first letters of every word in the title and a number that fits with the site. If necessary, I then can separate the numbers and the letters with some chosen punctuation mark (which I tend to keep the same). This gets around simple minded security requirements.

    Of course, I now have to remember the song or title of the book for the site, but that is a lot easier (and less hazardous to noting down if altzheimers starts to kick in) than remembering a random hash.

    Thus an example may be: Pride and Predjudice, by Jane Austin (written in 1813)

    PaPbJA!1813 (gives me a long version) or
    PaP!1813 (gives me a short version) or
    PaP1813 (gives me an “insecure” version)

    Hope this helps

    Joe

  • Anonymous

    All great advice. However, it could still get confusing once you have many different ones to remember. I say, use these mnemonic tricks to develop one, really good, password.

    Then use a password utility program to store ALL of your other passwords, encrypted with that REALLY GOOD one. Now, you don’t even need to know your passwords. You make them completely random, 15 char or so. You never see them, just decrypt, then cut and paste. In real use, it is easier than using a couple of weak passwords.

    You can even put that encrypted file somewhere where you can find it (think web space, or even email), hell you can even use the same program on your smart phone if you choose wisely.

    Also, read this xkcd and realize the scale of the problem: http://xkcd.com/936/
    and this one: http://xkcd.com/792/

    Realize that the second puts a huge hole int he password customization scheme. Once someone has phished one password, if they realize you are using a scheme, it is down to guessing the small unique part.

    Since you can’t rely on websites be secure, totally random is a huge win.

  • HikingStick

    Late (but hopefully helpful) addition:  Add the fact that you’ll need to change the password regularly to your algorithm.  Don’t be as simple as prefixing your password with a date code, but find something meaningful at the time, that you’ll remember for the next three months.  As an example, if you were just on a trip, add a keyword that ties to your memory of the trip to some part of your password (front, middle, or end).  E.g.,: Changing it in January, I might think of a recent sledding trip.  Thus, for three months my password could be “sled” plus the rest of my complex password.

  • HikingStick

    The nice thing about some OSes is that they will let you have very long passwords.  In such cases (or when securing password locker software), I like to use  uncommon snippets of prose, including all spaces, capitalization, and punctuation.

    For one, recently, I used a passage from The Hobbit.  If you do use such a method, however, you need to avoid the most common passages (e.g., “In a hole in the ground there lived a hobbit.”).  Pair such a passphrase with even a small clump of complex characters at the fore or the rear, and even someone who figures out your passage won’t be able to crack it (in any immediate time scale).

  • Creata Indiana

    What if you use a password that is in fact related to a thing that happened on a certain date of the year and cannot be confused for any other event and add a random pin to it? Then you write down someplace “password changed for account…” and you remember the password with ease.
    The difficult thing would be to find a memorable event that is unique and easy to remember…..

  • http://www.technostall.com/ Chankey Pathak

    This is a cool idea. I’m gonna follow the same, will code it in Perl. Thanks for the algo :)