Like most people, I have hundreds of accounts for various websites, software, and services. Unlike most, I have a unique, strong password for each site – and can remember every single one. In essence, I take the name of the site, run it through a standard mental algorithm that also does a little encryption, and use that as the password.
This means I never have to use a password manager, have many unique passwords, and can even “guess” my password for accounts that I haven’t logged into in years. There are many security benefits to having unique, strong passwords for all your accounts.
Here’s how to do it:
1. Take the “title” or “name” of the website, company, or service – whichever jumps out at you first.
2. Choose a length.
Many sites will enforce a 6 or 8 character minimum, so I’d recommend something at or above 8 characters.
3. Begin the algorithm.
What you want, ultimately, is to use some of the characters from the site name, transformed enough to be difficult to decipher, mixed in with various other characters to form a strong, random, and yet recreatable password.
4. Fill in the blanks, using alphanumeric, capital, and non-alphanumeric characters.
Capitals, numbers, and non-alphanumerics greatly increase the strength of your password by using a larger set of choices. Keep in mind that these characters will be the same in every password you have.
I’ll add a caps and number that I’ll remember – 2EZ. Our finished password is: oy$#@!2EZi
5. Repeat, repeat, repeat!
Keep using this technique for all your passwords, using the same algorithm each time.
6. Remember…
Be creative in your algorithm, keep the fact that you even use one a secret, and make sure the “variable” letters are tough to determine. If I host a random site called www.blah.com and I see your password in my database is “halb1234″, your algorithm will not be that tough to figure out!
Once you have put this technique to full use, upon arriving at a site, your account password is simple to recreate by using the same algorithm.
I use a similar approach myself, but using l33t instead of the “shift key” trick. It works great but over time I noticed a drawback to this method: many sites (and particularly banks and credit card accounts, which you’d think should know better!) will not accept symbols – or even worse, will enforce a particular arbitrary password length. When this happens, you have a problem as the algorithm suddenly doesn’t work for that particular site. So you create another “simpler” algorithm that uses only letters and numbers… and from then on, you’re confused about which algorithm you used for which case!
This should not be viewed as a criticism of the method but rather a finger-pointing at all these stupid “secure” banks that want to keep their logins dummyproof by not accepting symbols.
My “favorite” is one large corporation that will stubbornly require a login password of exactly 7 digits and including exactly 2 letters… now how do I bend my patiently thought-out algorithm to this requirement?! Idiots.
I run in to the exact same problem.. actually I have a “simple” algorithm for the dumbed down ones and a “secure” one for for the better sites.
Working in web security, it’s starting to become apparent that ultra strong passwords may not even be necessary in the future. Brute force attempts to guess passwords aren’t really the method that hackers are using any more. Keyloggers, spoofing the DNS, and phishing will get your password no matter how unique or secure it is.
Thanks! This is much appreciated. I’m using the Password Hasher extension for Firefox, but I’ve been using Chrome lately. It doesn’t support the extension, so I have to go to the website for password hasher to get my password back every time.
This will hopefully solve the problem!
Billy
The shift-numerals trick will fail once you travel to a different country. For example, on a German keyboard, Shift-8 produces ( instead of *.
Rotaluclac
@Rotaluclac
That’s a good point. Shift + numbers must be a domestic algorithm only (unless you memorize the characters it really outputs).
@Rotuclac and Loren
You don’t have to memorize.
Being abroad you can look for your local keyboard lay-out online.
For example. You find a lot of them at wikipedia.
http://en.wikipedia.org/wiki/Keyboard_layout
Good idea, but how do you deal with the fact that you need to change some passwords, say every 3 months and you are not alowed to use the same words? I hope you have another trick up your sleeve
Grtz, JB.
@Timo, Rotuclac and Loren
even better; configure the pc abroad to use your local keyboard settings and type blind.
got the same problem with my bank as mentioned by Martin. The worst thing: I only use it once or twice a year so I have to request a password by mail each time or write it down… now that’s security!
@Jury
All you need is a few algorithms and a good memory. I’ve been using this for years, so it gets easier. There are certainly times where I have to hit “Forgot Password”, but overall it works well (and it doesn’t require any external system).
In reply to Jury (#7) and Loren (#9): The company I work at compells us to change the password every 60 days, and prevents us from reusing any previous passwords. It is also recommended that passwords of banks etc be changed periodically, for added security. So unless the passwords of your *every* internet account is changed around the same time, you’ll end up with many algorithms … That’s as bad as having to remember many passwords. The algorithmic approach is good only if there are a few passwords, but fails if many passwords have to be maintained.