Everyone knows that one of the best ways to protect yourself from online security disasters is to use a different password for each account. But do you do it? Probably not, because at first glance it looks like an unreasonable burden, having to either remember dozens of unique passwords or having to keep them all written down somewhere (which in itself is a security risk). The website ideashower.com offers a simple way to create a unique, easy to remember password for every account.
Step One
First, rather than remembering a word for your password, remember a phrase instead. For example:
“I Have Way Too Many Passwords To Remember”
Then take the first letter of each word as your password, so…
“I Have Way Too Many Passwords To Remember”
would be: ihwtmptr
This makes your actual password look very random. Alone, this would be a pretty secure password.
Step Two
Say you need a password for your bank (ex. Wells Fargo). Just take the first letters of the name
(Wells Fargo = wf) and add it to your password:
wfihwtmptr
Or another example, if you need a password for Facebook:
fihwtmptr
This way your password is different for every site, is secure, and all you have to do is remember one phrase!
We saw a similar article in the latest issue of the hacker digest 2600, although the author in that piece suggests using the lyrics to a favorite song or poem you’ll never forget—in his example, the classic Ice Ice Baby: “Alright stop, collaborate and listen, Ice is back with my brand new invention” becomes ascaliibwmbni. From there, you can add in letters unique to the website as in the example above, and/or replace letters with special characters or numbers.
Using either method, you should be able to replace that one, overused password with a bunch of unique ones that aren’t easy to guess and are resistant to brute force cracking, without taxing your memory much more than before.
Update: I mentioned above that you can add special characters or numbers if you like. As several readers point out in the comments below, it’s not so much an “if you like” option as it is a requirement if you really want to create a strong password. Another point worth mentioning is the above example is really mainly for illustrative purposes, and you should find a more obscure way to add letters to your base “word” than just appending the site’s initials, which can be too easy to figure out. Be sure to read the comments below for several suggestions on how to improve the examples above.
“Remember Just One Password That’s Unique For Every Site” [ideashower.com]
Winter 08-09 Issue [2600 - The Hacker Quarterly]
More From Consumerist
-
Report: HSBC To Pay $1.9 Billion To Wash Away Money-Laundering Claims
-
Waiter Who Wouldn’t Serve Family That Insulted Boy With Down Syndrome Didn’t Care If He Got Fired
-
I Can’t Make My Son Use Less Data On HIs iPhone Without Giving AT&T More Money
-
Instagram Reminds Users That Updated Terms Of Service Goes Into Effect This Week
-
Don’t Like Instagram’s New Terms Of Service & Privacy Policy? Quitting Is The Only Way Out
line noise FTW
Maybe it’s because I remember the patterns of phone numbers rather than the numbers themselves, but I’ll choose interesting patterns on the keyboard as passwords, which come out as being completely random.
I just use “password.” It’s so diabolically clever, nobody would ever think of it!
I was doing something like this, but I realized that were anyone to crack my specific methodology (which was obscure but not difficult), they could use the underlying logic to get all my accounts. Now I use complex, patternless pwords for the important stuff; I keep an anonymous email account whose only function is to store these passwords with cryptic descriptors like ‘bank’ and ‘personal email’, should I forget them. After repetition, though, I’ve memorized the 4 most used, as complicated as they are…
I have my passwords tattooed under my eyelids. I thought that would be secure, but everytime I go to sleep, someone logs into my itunes account and buys a bunch of Clay Akins stuff.
I just do a pattern on my keyboard for everything important. When I change it I change the pattern slightly. It was bad when I was in Hungary and the layout of the keyboard was different and I realized that I did not know what my password was. The thing itself gets incorporated into the pattern. Say you had a password to foobarbank.com, it would start fbb, so then a pattern may become fBbrGg4Tt, see how that works.
This is a nicer approach to the phrase since so many places put requirements on the passwords that would make them so that I cannot remember them. If I sit and look at the keyboard and think about the thing I can always come-up with a pattern that is memorable, related to the thing, and meets their requirements like 8 chars with symbols, numbers, and mixed case.
Nonsense. Just use all asterisks. Works every time.
This isn’t good advice. Instead, go download a program called KeePass. You only have to remember one password to get into the encrypted database, which has all sorts of neat and effective ways to organize your login credentials, notes, web address, etc. More importantly, it has a random password generator that can be customized but automatically uses something like 27 characters, numbers, and symbols; that way you have a unique and virtually uncrackable password for every site, and you don’t have to remember any of them. For the few sites you need to access away from your computer, think of a long string that isn’t a word, and throw in a number/symbol here and there. Then change it every so often.
@deep.thought:
Is this database stored on your computer or a remote site?
While there may only be a few sites you NEED to access away from your computer, there can be a lot that you WANT to access.
You’re not much better off just appending numbers and letters to a reused string. Choosing a password from a remembered phrase like that is good, but each sensitive account should use a distinct phrase.
Look up some security texts… or better, hop around the internet opening up fake accounts for a while. You’ll come across a few that won’t let you use your username as your password, but also some that won’t let you use your username as even part of your password. The reason is that dictionary attack are easy to update. Even an inexperienced offender is likely to add your username to his word list, and once they know one password, they’ll add that to the word list too. Combining that with a very shallow brute force method would yield the Wells Fargo (wf) and Facebook (f) passwords above.
My opinion is that if you have a hard time remembering random strings of numbers, letters, and symbols–and who doesn’t?–then you’re much better off creating a unique and possibly random password for every sensitive account and writing them all down. I figure I’d rather write down every password in one place, and worry over keeping that list of passwords as secure as possible. It’ll be far easier for me to keep track of it than to worry if the Crocheter’s Anonymous forums get hacked, and my password stolen, which may be the same as or include part of my bank password.
Seriously, this is not a bad idea for most people. It sure beats the old ‘password on a post-it’ on the monitor, or using your first name and a 1.
After my email got hacked to send out a bunch of spam to my address book and other emails (nothing else destructive, thank god), I went nuts on security. So far I’ve favored using RoboForm which encrypts all my passwords with a master password. From there it generates all of my other passwords (12 char, uppers lowers & numbers). I do most of my computing off my computer, but I also have it on a USB key to take with me and my cellphone if I need to reference a password somewhere. This method is also safe against keyloggers unless it manages to log my master password and snatch the encrypted files as well. I would HIGHLY recommend robo form.
I do something similar. All my passwords are derived from song titles with combination of upper/lower case letters, with a 4-digit number at the end. I have all my song-derived passwords written down as song titles, with the 4 digit password the last 4 digits of a fake phone number.
I was born in 19xx, when I was 5 my telephone number was 123-3456 and my kitty was named Abcd Efgh.
When I was 10 I attend Bob Jones School and lived 98765 Notmain St.
Unless you KNOW me and really know me, you will not know each of these facts. And even if you know me, you still must know the combination of words and numbers I might use. At the same time these are easy things for me to remember.
Mix and match fact sets and you have nice combinations of passwords
9876AbcdEfgh3456 is an easy to remember 16 character number.
BobJones19xx is a simple 12 character pass word.
I use a mixture of two words, each in a language other than English (phonetic spelling), and the last four digits of a phone number I had some 40 years ago. Hey, it works for me.
for my more high-security sites (school, bank, personal email, paypal) i use a random string of characters i made up and just memorized. for everything else i use a word plus respective-site-related addons
Wow, I didn’t know everyone would respond so much to this post. I personally use a base “word” that isn’t a real word, then apply numbers and characters to it based on the domain name. It was a bit convoluted at first, but now I can reconstruct the password fairly quickly, even for a domain I haven’t visited in a year or more. I made up a set of rules that allow for special characters, numbers, and capital letters, as well as special conditions to follow when a rule can’t be properly executed because of the site’s specific password requirements or when a password has to be changed frequently.
It took a while to put it all together, but it was actually kind of fun to play around with. My only problem with it is my passwords right now are 8 characters long, and I’m thinking it’s time to come up with a new, more complicated set of rules to generate longer passwords.
Is it wrong that I enjoy this so much? Because I do.
Amazing! I’ve got the same combination on my luggage!
how about taking 2 of your most used passwords and combining them? I’ve used variants of a couple of passwords that I’ve used since 1985 with 100% success, according to my IT guys, what I currently use is as strong as you can get.
Here’s an example: ibutps1985
(I’ve been using this password since 1985)
For password I use a phone number and a code. The “almost impossible” is to find out who’s phone number in what country, and what type of code it is.
does anybody here use clipperz?
I use AI Roboform… It has a function that randomly generates a password for you… Then it remembers it for you as well. I end up with passwords like “2MkjqO60Y7lA72PP” and “9QDsS3vlFq109yC7″
I wish more sites had one time password systems like paypal… I hear that WoW is adding a iPhone app that give you a OTP so you don’t have to have all those little keys on your key chain. Some sort of universal OTP system for mobile phones would be awesome…
The problem with this technique is that if one of your passwords is compromised, they all are. Worse, a focused attack is possible.
If I want your FaceBook password, I tell you about this awesome new site (that I actually control). I get you to sign up for it, look at your password, deduce your rule, and now know your FaceBook password.
So the tradeoff for this technique is that you must trust every site you use it on with your access to every other site you use it on.
If you use this for electronic banking and PayPal and also for your gaming clan’s forum server and that new porn site’s free access offer, you are not a very smart person.
I go with a tiered approach.
level 1 – easy and short pw for anonymous forum and blog posting accounts. It’s not the end of the world if someone guesses it.
level 2 – same pw as level 1, but adds a few digits. Mainly used for logins that require digits.
level 3 – a longer password for more personal information. Not as easy to guess. Also used for any site that just requires a longer password.
level 4 – a wild and crazy pw for financial logins and similarly sensetive stuff. A combo of letters, numbers, symbols, and whispering.
All in all, I have 4 passwords to remember.
A strong passwaord should contain numbers, symbols, upper and lower case letters. Never repeat any part of your username in the password. Also, make sure that your paaword is at least 8 charachters long.
Use the serial number from a dollar bill, add special characters as you see fit. Keep the bill separate in your wallet until you’ve memorized the pwd. Once you’ve got it, spend the money.
Don’t forget to protect your password reset also. Test out what happens if you forget your password, create a fake ID and history for tat person, and use that person’s info instead of your real info.
Hi,
For this exact problem I have created online password manager – a secure way to manage all the passwords without the need to remember much
Check it out: http://paswd.appspot.com/
Thank you,
Adi
I love this idea. Consider doing things like putting the letters from the site name in different positions. Perhaps the F and B from facebook can surround your password, like fsob, or use the letters in an alternating pattern, like fsbo. Good stuff!
I used to have one password that I changed little bits of, as the article suggests.
The problem with passwords is not picking a good one that you will remember, it’s picking a good one that you can easily modify and meet password restrictions everywhere, AND you can still remember.
One site will require you to use upper, lower, numeric and special characters in any combination and length. The next will do the same, but not these particular special characters. The next requires that the password not be longer than 8 characters.
WTF. Bastages. Okay, here’s a different password. The next site only wants letters, is case sensitive, no numbers, and certainly nothing special. Okay… new password. The next site has a particular fetish about your user name, but doesn’t give a crap about your password, which it forces you to only use a 4 digit PIN for. Crap – okay, new user name and password for this one.
So now, I have maybe 4 passwords that I use for personal accounts, not counting the 6 or 7 that I use for professional accounts. There are another 6 that I use for employee related accounts that my employer seems to sadistically enjoy forcing us to sign up for to get one tidbit of information or another.
I now have a password keeper – the old school kind – a little notebook that I use to keep this stuff in. It goes with me everywhere.
Why don’t I have an electronic password keeper? I did. I forgot the password to it. It wiped everything to protect me from myself.
ive been doing this for years but never shared the technique with anyone since the more people that know and use the technique, the more vulnerable it becomes… Its kind of the same thing with firefox. I love and use firefox on all my machines but I don’t preach about it since the less people that use it, the less likely it will be targeted by hackers (the only reason IE is “less secure†is because more people use it so it is targeted by hackers more). It’s kind of a sort of elitism but hey this is the real world