How To Easily Remember A Different Password For Every Site

Everyone knows that one of the best ways to protect yourself from online security disasters is to use a different password for each account. But do you do it? Probably not, because at first glance it looks like an unreasonable burden, having to either remember dozens of unique passwords or having to keep them all written down somewhere (which in itself is a security risk). The website ideashower.com offers a simple way to create a unique, easy to remember password for every account.

Step One

First, rather than remembering a word for your password, remember a phrase instead. For example:

“I Have Way Too Many Passwords To Remember”

Then take the first letter of each word as your password, so…

I Have Way Too Many Passwords To Remember”

would be: ihwtmptr

This makes your actual password look very random. Alone, this would be a pretty secure password.

Step Two

Say you need a password for your bank (ex. Wells Fargo). Just take the first letters of the name

(Wells Fargo = wf) and add it to your password:

wfihwtmptr

Or another example, if you need a password for Facebook:

fihwtmptr

This way your password is different for every site, is secure, and all you have to do is remember one phrase!

We saw a similar article in the latest issue of the hacker digest 2600, although the author in that piece suggests using the lyrics to a favorite song or poem you’ll never forget—in his example, the classic Ice Ice Baby: “Alright stop, collaborate and listen, Ice is back with my brand new invention” becomes ascaliibwmbni. From there, you can add in letters unique to the website as in the example above, and/or replace letters with special characters or numbers.

Using either method, you should be able to replace that one, overused password with a bunch of unique ones that aren’t easy to guess and are resistant to brute force cracking, without taxing your memory much more than before.

Update: I mentioned above that you can add special characters or numbers if you like. As several readers point out in the comments below, it’s not so much an “if you like” option as it is a requirement if you really want to create a strong password. Another point worth mentioning is the above example is really mainly for illustrative purposes, and you should find a more obscure way to add letters to your base “word” than just appending the site’s initials, which can be too easy to figure out. Be sure to read the comments below for several suggestions on how to improve the examples above.

“Remember Just One Password That’s Unique For Every Site” [ideashower.com]
Winter 08-09 Issue [2600 – The Hacker Quarterly]

Comments

Edit Your Comment

  1. Silviu Istrate says:

    This is something that EVERYONE needs to take note of… Including myself. I am extra cautious with my passwords yet still got my Paypal hacked into a while back.

    • ScottRose says:

      @Silviu Istrate:

      I disagree. By way of the example: If someone were to discover your password for Facebook under this scheme, they would then know that your password for Wells Fargo is the same, but with a “wf” at the beginning instead of an “f”. And the more popular this method of password generation becomes, the more likely that someone will be aware of it when cracking your account(s).

      As commenters pointed out below, the password should also include symbols and numbers; the password given in the above example is very insecure on its face.

      I personally categorize sites by level of security, and use the same password for all low-security sites (any site that doesn’t store personal information aside from my email and maybe my name). The PW is relatively simple for ease of typing.

      I use the same PW for all medium-security sites (those that store personal information, but no financial information). The PW is more secure (random) than the one I use for low-security sites.

      Then I use different, random PWs for each of the really important ones: Banking, PayPal, Email, etc. There aren’t too many sites in this category, so the different PWs are easy to remember.

      • PSUSkier says:

        @ScottRose: That can be easily mitigated. I think I’d prefer encapsulation myself (so wihwtmptrf or if its single word, you could first and last letters fwihwtmptrk etc.)

        • Xerloq says:

          @PSUSkier: Additionally, you might consider using the purpose of the site as your seed in addition to the the site name.

          Example:
          Wells Fargo + Bank = wbihwtmptrkf
          Gmail + Email = geihwtmptrll
          Facebook + network = fnihwtmptrkk
          Dominos + pizza = dpihwtmptras

        • ScottRose says:

          @PSUSkier: Yes, but whether you encapsulate, prepend, or append the site’s initials (or anything), it still creates a pattern.

          Perhaps better to create a mnemonic device for a site (e.g. Facebook is opposite to Assmagazine, so you’d use a____m in your encapsulation. This way, even if someone knew the pattern they wouldn’t know your mnemonic for each site.

          Though I’d still throw some numerics and symbols into the base password. a55l@qf-m for Facebook/Assmagazine.

    • Apeweek says:

      @Silviu Istrate:
      Here’s another good password trick that will defeat keyloggers (a hidden program on your computer that records keystrokes.)

      Pick a long phrase like “supercalifragilisticexpialidocious”

      But when you enter the password, click inside the password box for some of the characters (or syllables) and outside the box for others. So your real password would be, perhaps “supcalfragisexaldoc” but the keylogger sees the longer word above.

  2. tbonekatz says:

    This is a great idea. I have a really hard time keeping up with all my passwords. I don’t want to write them down and I don’t want to store them on my computer or at one of those password storage sites.
    Time to start changing passwords.

  3. B says:

    Needs numbers and symbols.

    • ViperBorg says:

      @B: Exactly, I don’t have a single password that doesn’t have a good mix of letters, numbers, and symbols. Also makes for long passwords. But that’s okay, all these traits makes for secure passwords. Just remember to change them often.

    • tbonekatz says:

      @B:
      A number could be the number of the words in your phrase, the square root of that number, the number of words plus the number of your address, along those lines. Would still be easy to remember. Then throw in the symbol that corresponds to the first digit of the number you choose.

    • Gann says:

      @B: You could incorporate number and symbols into the phrase:

      STAR Light STAR Bright, FIRST Star I See Tonight =

      *L*B1SIST

    • Mr.DuckSauce says:

      @B: Needs hieroglyphs, now no one will know the password, except anthropologists in the field of ancient egytian.

    • Etoiles says:

      @B: Our work network passwords MUST:

      Be more than 8 characters long
      Have uppercase and lowercase letters
      Have numbers
      Have special characters
      Cannot contain any word recognizeable in any language that it checks
      Be replaced every 30 days

      And you can’t use any of your last 10. Also, the password you use for your e-mail / intranet access has to be different than that one, and subject to the same restrictions.

      There’s “security,” and then there’s, “no, seriously, I can’t remember this shit anymore.” I basically just end up moving the same punctuation mark backwards one place at a time for a year.

      • snowburnt says:

        @Etoiles: 30 days is excessive for password recovery, in my opinion. Same as requiring too many different passwords and having a 3 log in lock out.

        too many restrictions will create more problems like people writing down their passwords and taping them to their monitors.

        Network security guy 1: “Great, no one can crack these passwords”
        Network security guy 2: “They don’t have to, the cleaning person took the sticky from this guy’s monitor with his login and password

        • Etoiles says:

          @snowburnt: Yeah, I think it’s pretty stupid. Particularly since I’m not exactly in a national-security kind of company.

          My last job had very similar restrictions… I used up the entire cast of two video games as my passwords while I was there.

      • Ragman says:

        @Etoiles: Add to that “Cannot contain any patterns, such as asdf, fdsa, qwerty, 1234, etc”, had to be reasonably dissimilar to the previous 6 passwords, and you get what I had to deal with at one time. I finally had to open notepad, randomly type shit and cut & paste until the system accepted the new password. Which I promptly wrote down on a piece of paper in my wallet b/c I couldn’t always remember it. I also had EIGHT other passwords to remember for the same job that changed on varying (45, 60, 90 day) schedules, albeit with less strict standards.

        As long as your password isn’t easy to guess or subject to a dictionary attack, and you don’t fall for phishing/social engineering tactics, changing it often is more of a pain than a help. Of course, anything I accessed through a former employer’s network (such as Hotmail), I changed passwords the day I left. Or anything I got suspicious about.

        I remember my commonly used passwords, but the other 150 or so I have to keep written down at home. One day I’ll invest in an electronic password keeper. Many of the people I worked with at the aforementioned employer used them.

        I used to use a pattern as described. Then, I realized it would only take a cracker TWO of my passwords to see the pattern. “Hmm, his facebook is fascaliibwmbni, and his Wells Fargo is wfascaliibwmbni, then his Gmail must be gascaliibwmbni…” I have so many passwords on sites that I worry about somebody pulling a TJMaxx on passwords for multiple sites where I have accounts and figuring it out.

        Oh, and it’s a pain trying to pattern b/c special characters are an essential part, but some sites I’ve come across wouldn’t let you use special characters. Worse, there was one (I forget who) that CHANGED their password reqs, and FORBADE special characters in the new reqs. Fortunately I was able to get a password reset done.

        • Ragman says:

          @Ragman: Meant to say “it’s a pain trying to pattern b/c special characters are an essential part of a secure password”

        • rlee says:

          @Ragman: I feel your pain. And it’s even worse, because you can’t always use your email address as the login, so now you have to remember that for every site, too, and they too have restrictions (as well as “that login is already taken”)! Some don’t allow _ or ., some don’t allow numbers, some don’t allow capitals; some don’t allow anything under 5 letters, some don’t allow over 8, etc.

      • Xerloq says:

        @Etoiles: You could simply append a number to the end that signifies the iteration you’re on. Then you hit [shift]+the number to make it extra secure.

        I hate my voicemail password which is required to be 8 numbers long and changes quarterly and my conferencing password which is 10 random numbers quarterly. Neither can ever be reused.

  4. Radi0logy says:

    Passwords are the thing I hate the most about modern technology :P Someone integrate retinal scanners into LCD monitors please… Then I just have to worry about getting my eyeball cut out, Demolition Man style.

  5. JaideepG2002 says:

    this is great except most sites are requiring that you have numeric and special characters in your pasword now a days…

  6. supergaijin says:

    Some sites need numbers AND letters, so my rule for ALL sites (I do a similar thing to the OP) is to replace any “i” with a “1” and “o” with the number zero. Mixes it up just fine, easy to remember as long as you’re 100% consistent, and makes the passwords more secure.

    • lintacious says:

      @supergaijin: i do this as well

      • Communist Pope says:

        @supergaijin: Gotta love 3s for e/Es and 4s for a/As, too. I just wish more secure sites accepted symbols in passwords, then you can really mix it up.

    • Anonymous says:

      @supergaijin: There is a very common password tool that already guesses passwords based on dictionary words, substituting numbers for letters, i.e. “p4ssw0rd”, so you’re not really any safer than if you were just using “password”.

      The best passwords are random passwords. Unfortunately, they’re also the hardest to remember.

  7. Danj3ris says:

    I won’t admit I’ve been doing this for years because if I admitted it, all it would take is for someone to figure out the one phrase I use for every single login, then add the necessary letters of the site. My entire e-life would then be exploited.

    But for everyone who is not me, this is a great idea. ;)

    • I_am_Awesome says:

      @Danj3ris:

      As you point out, the security this adds is far from fool-proof. It’ll thwart an automated attempt to get into your account, but it won’t stop a human being.

  8. KyleOrton says:

    I had something like this, but I ran into some sites that limit the characters to 8 and blew it up.

    • Triterion says:

      @KyleOrton: And some require at least one number or special character :(

    • LandruBek says:

      @KyleOrton: Yes, sites like that drive me up the freaking wall. HOW (O web developer) CAN IT BE SO BURDENSOME TO ACCEPT LONG STRINGS? I too like to “salt” my passwords (that’s the technical name of this technique), but there’s that one credit card I use, I think it’s Bank Of Cthulhu or something, that forces me to use a teeny tiny password. Iä!

  9. enm4r says:

    Writing down your passwords is not as horrible as people make it out to be. It’s not possible to hack a written sheet of paper, and I would think most people are in fairly low danger to have a sheet of paper stolen from a desk drawer.

    Also, don’t use family or pet birthdays/names. It’s not original, and it’s not secure. The 1 at the end of your password to fulfill the digit requirement isn’t original either.

    • pecan 3.14159265 says:

      @enm4r: What you should do is just write them down and keep them locked up.

      • Trai_Dep says:

        @pecan 3.14159265: I have it tattooed on an intimate area of my body. Luckily only six characters are required, or I’d need Extenz.

      • Rocktober says:

        @pecan 3.14159265: You can also write them between the lines or in the margin of some random book, then stick it on your bookshelf. That way it is, in essence, hidden in plain sight.

        • samurailynn says:

          @Rocktober: My cousin’s husband once had a slip of paper in his wallet to help him remember different PIN numbers. He wrote a name with a phone number… The name helped him remember which card it was for and then the last four digits of the phone number were his PIN.

    • redskull says:

      @enm4r: I also write down passwords that I don’t use all that often and am prone to forget. However, I don’t write the entire actual password, just enough to jog my memory.

      For example, if my password were “Bosco99,” I just write “B99.” That’s enough to remind me that I have a password called Bosco, and not enough to tip off anyone who might find the piece of paper.

      The method in the article seems pretty good until you realize that everyone who reads it is going to use “ihwtmptr” and it’s going to replace “password” as the most used word out there.

    • alexburrito says:

      @enm4r: It’s funny, but I remember when I thought passwords were to keep someone from sitting down at your computer and logging in – thus – don’t write it down.

      Now, they are to keep the “virtual people” away from your stuff and the piece of paper is safest!

      • TWinter says:

        @alexburrito: I keep passwords on an index card in a locked drawer. My passport and various financial papers are locked in the same drawer. I figure if someone gets in there having my Travelocity password hacked will be the least of my worries.

    • Eyebrows McGee (now with double the baby!) says:

      @enm4r: I know several professors who choose a random book in their office (typically out of a couple/few hundred) and passwords are picked as random words from the book (sometimes with replaced letters). Then you can keep a little notepad in your desk where you record the word in some code — like 62-a-1-3 would be “page 62, column a, sentence 1, word 3″ or something like that. That way you can remember/record a very large number of passwords in a way that makes it very unlikely that even a burglar who comes to your actual office to steal your written-down passwords will figure them out, because who’s going to go through 200 books to figure out which one you’re using, even if they realize that’s what the code means?

  10. JRules says:

    “are resistant to brute force cracking”
    The whole point of brute force cracking is that people only use letters in there passwords. You need symbols and numbers to be resistant to brute force cracking.

    • LandruBek says:

      @JRules: Well, sort of. There’s nothing stopping a brute-force cracker from trying any character. Numbers don’t necessarily help: for example, “TrustNo1″ is an examples of a useless password, one that has literally become a joke—though it has a number in it! Likewise, adding a “123” suffix onto a password is also such a cliche that it does not afford any security. The Conficker worm, for instance, uses the following list of password to try to brute-force itself into Windows computers, and many of the passwords on that list contain numbers.

  11. snowburnt says:

    Another alternative is to remember a really complex password and have the rest of your passwords on an encrypted file that uses that password to open up on your computer…just make sure you close out the file when you’re done.

    • snowburnt says:

      @snowburnt: similar to this is to use a complex password to get into your computer and encrypt the file there. There’s a few free encryption places out there and windows comes with some utilities you can use with a certificate.

      It’s complex at first but makes sense after a little while

    • dangermike says:

      @snowburnt: Or even better, open that encrypted file as in notepad or something similar and paste a small portion of the encrypted text as a password.

      For making passwords that are easy to remember yet hard to guess, try a searching for pronouncable password generators. Get a “word” that’s 8+ letters long, mix the case a little, and add a few numbers or other special characters, and you’ll have a password that’s about as strong as it can be that will serve as its own mnemonic, rather than having to memorize some clunky phrase like the one in the original article above.

      • dangermike says:

        @dangermike: and that’s not to say there’s anything wrong with clunky phrases. I haven’t played Doom in at least 15 years, and I still remember idspispopd as the code to fill ammo (all the codes started with “id,” the games development house, and then this one was an acronym for “smashing pumpkins into small pieces of putrid debris.” Oh, and I really do have a life. I swear.)

        • nybiker says:

          @dangermike: Thank you dangermike for clearing that mystery up. I knew the ‘id’ was them, but I didn’t know where they got the rest of the code from. Oh yeah, thanks for reminding me it’s been a long time since I played Doom too.

        • cheezfri says:

          I used to use that as a password too! Loved that game…

    • mac-phisto says:

      @snowburnt: i use a program called keepass –> [keepass.info]

      it works using your idea: create 1 complex password & store all your important passwords behind AES & twofish encryption. it generates random passwords based on what you want in them (letters, numbers, symbols, caps, no caps) & even tells you how strong that password is.

      i use a portable version that you can install on a usb stick to carry it with you. you can also use the portable version as a fob that must be present to access a database on your comp.

      gina over at lifehacker has the most comprehensive info on the app. check it out –> [lifehacker.com]

      pretty awesome stuff. best of all it’s free. props to the open source crowd.

    • CapitalC says:

      @snowburnt: Or get Roboform2Go and use one strong password to lock all your Roboform-generated-impossible-to-remember passwords in a keyring. I’ve been using it for years and I do like it better than many of the alternatives (incl. Keepass for PC and 1Password for Mac, both of which I have used or do use).

      Just remember to print them out once a month and store them somewhere like a safety deposit box!

  12. davidc says:

    The only problem with this is that *some* of your passwords are going to match since, as with the example of facebook, there are a lot of sites that start with F and are only 1 word.

    Of course, if somebody figures out your “key phrase” by getting 2 or more of your passwords, your kinda toast.

    In the end, doing this is probably a lot better then relying upon FireFox to remember your passwords!

  13. mschlock says:

    Ugh, passwords! Already have too many of them, but some sites require special characters and some sites explicitly forbid them, and remembering which site has which rule absolutely drives me bonkers.

    Also, I have a site I use at work that requires me to change the password every three months. I hope no one figures out all I’ve been doing is incrementing the number on the end of the password. *ahem*

    • Gokuhouse says:

      @mschlock: You’re not alone……I know when I worked helpdesk support almost all of our salesmen did this. It’s sad when you work on their PC again and find that the password is still Password1 or 2 or 3….

      • TWinter says:

        @Gokuhouse: My work makes us change every six months and they analyze the new password and reject it if it repeats too many character strings from any of your last three passwords. Drives me bonkers twice a year to come up with something totally new.

        • TechnoDestructo says:

          @TWinter:

          Don’t. Come up with a group of password components, and switch the pieces around.

          I use bits and pieces of names (fictional characters are good, as are dead pets), mixed with strings of numbers and characters that I knew anyway. Old phone numbers, parts of email addresses or street addresses (nothing current or recent, of course, unless it belongs to someone not closely related to you). Something that you remember in its entirety. It basically turns remembering the password from remembering a string of gibberish into remembering two or three elements which are mentally (to you) no harder than remembering single letters.

          That’s kind of like what’s recommended here, but not. The site recommended here…if you don’t have many passwords it’s fine I guess. But having to remember HOW you made your password isn’t really any different from remembering your password.

        • usa_gatekeeper says:

          @TWinter: So you end up writing the current temorary P’word down on a scrap of paper and keep it “hidden” somewhere in or on your desk, right?

  14. britne says:

    The thing is, every site wants something different – long, short, caps, numbers, special characters, no two characters the same or in a row, etc.

    Oh, and people who design these things? If your password rules have exceptions like this, please provide them as a hint for when I try to log in again. If you told me it has to be 8 characters long and have a letter, number, and symbol, I need to know that when I go back to the site to log in.
    /rant

    • Rectilinear Propagation says:

      If your password rules have exceptions like this, please provide them as a hint for when I try to log in again.

      @britne: If we provide the hint to you then we’re also providing the hint to the person trying to break into your account.

  15. Mike_ says:

    An incrementally safer way to do this would be to obfuscate the prefix. If someone finds your Wells Fargo password and notices the first two letters are “wf”, they may be able to deduce your password theme and log into your other accounts. Instead of using “wf”, shift each letter by a set number, say, +2: W becomes Y, and F becomes H. Instead of wfihwtmptr, use yhihwtmptr.

  16. balls187 says:

    This is bad advice.

    Here’s why:

    This only protects against simple dictionary attacks.

    A brute force attack on a fihwtmptr would take a few hours with a distributed machine attack.

    You’re way better off using a passphrase. Once you get to 16+ characters, it makes it nearly impossible to bruteforce a password within reasonable human time.

    Here are some numbers: [www.lockdown.co.uk]

    This of course glosses over things like Conficker, key loggers, phishing and man-in-the-middle attacks.

    • j-o-h-n says:

      @balls187: To truly be secure with pass phrases you need to add in one or more of:
      * some random special characters
      * a very obscure word
      * a misspelling

      Otherwise you have limited the search space to just V^^N where V is the size of your common word vocabulary (likely a few hundred), and N is the number or words in your phrase (likely 6 or less).

      • mythago says:

        @j-o-h-n: Except that a lot of sites do not accept special characters….

        • tobedetermined says:

          @mythago: Tell me about it! As a technologist, I don’t understand why some sites restrict the use of just alphanumeric. Why do people disallow the rest of the printable ASCII characters?

        • floraposte says:

          @mythago: Or 16 characters.

          This is one of those risk-balancing things. How much effort prevents just how much risk, and at what point does the return stop becoming worth the effort? While it’s worth “taking it seriously,” for most of us it’s not actually worth the effort to get to 99% hacker-proof, any more than it’s worth the effort to make one’s house 99% break-in proof. And there’s lost productivity from time involved to deal with lost passwords, risk from workarounds (like the writing stuff down) that make you more vulnerable in other ways, etc. It’s ultimately a pretty crappy arrangement, and that, more than user sloppiness, is its weakness. A system that’s harder to work effectively than to work badly isn’t a good system, but we are, for the forseeable future, stuck with it.

          And that’s why I think the above article has utility despite its limits–it will strengthen the security of that considerable number of folks who have thrown their hands up in despair and are currently logging in to their bank as “Mom” with a password of “Mom.”

        • j-o-h-n says:

          @mythago: Well, I gave you three choices — pretty sure most sites will accept one of the others!

  17. MichaelLC says:

    I’ve used this on some sites – will mix it up by using the first and second names of a site – PetSmart, for example, or USING CAPS.

    Just like physical credit cards, though, no one is interested in *your* numbers, they want 10,000 numbers. So best security is insuring you don’t have spyware/vuruses running.

  18. QuantumRiff says:

    No numbers or symbols? Not even upper case letters? that is a horrible password. Nowadays, with the advent of things like “rainbow tables” that can crack any passwords of up to a certain length in seconds, you have to have really, really long passwords to have a chance. there are actually tools for this, such as keepass ([keepass.info]) that will not only store, but generate your passwords for you! People may get all upset about this, having them all written down, but in my experience (I’ve been in IT for 10 years now) the biggest risk is an external site getting cracked, not your local stuff. This tool is open source, and many, many people have pored over the code to figure out how to crack its security to get into its database. As long as you remember one very good password, your set.

    How many times do we hear about passwords getting broken at myspace.com, or an e-commerce site. It is much more important that all the passwords be random, and different. (ie, so if they crack my amazon password, they cannot easily figure out my Wells Fargo one).

    On a side note, rainbow tables are a great thing to demonstrate at work, to make bosses sweat very, very profusely…

  19. yoni242 says:

    I AM sure that someone will use these passwords for their account. Thats the sad part. Come on whats so hard about having many passwords. Cell phones and pdas have made our brains lazyyyyyyyyyyyyyyyyyyyyyyyyyy wake up and start reusing the best memory out there. will stay with you longer then your cell and pda combined.

    • mythago says:

      @yoni242: Yeah, back in the good old days we had no problem remembering dozens of different passwords like “39$j31((ghj{“, one for every single website, and we had to walk uphill five miles in the snow to get them! Also, we had punctuation!

  20. coan_net says:

    I do something similar – want to know when this fails? When sites change names or merge.

    Some of the genealogy websites have done this, and now I’m unsure which “password” was used for the site that is now under a new name.

  21. Anonymous says:

    An easier and more secure approach that addresses all of the size and character requirements that the method in the article conveniently ignores is PasswordMaker (passwordmaker.org).

  22. Anonymous says:

    Keep in mind that cracker dictionaries will often have well known phrases or series like this — so don’t use something commonly known like mvemjsun (names of the planets), roygbiv (color spectrum) or omfg (well, you know).

    Also avoid “hacker” or texting slang, because dictionaries and scripts will accommodate for that. Changing “bankone” to “b4nk0n3″ doesn’t really afford you extra protection.

  23. bologna_wallet says:

    I create passwords as combinations names and birthdays of ex’s.

  24. Frank Murphy says:

    Use numbers and the names of other people’s pets!

  25. Ted's Famous Kickin Chicken says:

    The biggest problem with this, for some people, is the fact that you often don’t get to choose your passwords or you have to choose a password that other people will share–for a server login, for example.

    I’ve been using KeePassX for several months and love it.

  26. William Beem says:

    Then again, this advice doesn’t help much when you’re forced to regularly change your password every month or so.

  27. Gokuhouse says:

    What a great idea. I have been using the program keypass to manage all my passwords, but I don’t always have it with me. This would really simplify things for me.

  28. Anonymous says:

    Why bother shortening it? Really long passphrases are much more resistant to brute-force attacks. If you use “IHaveWayTooManyPasswordsToRemember” as your password, that’s 135-bit strong. Easier to remember, easier to type. By shortening it to “ihwtmptr’, you’re reducing it down to 36 bits.

  29. Terraxsu says:

    When can I start using my RSA key generator to log into everything? At work, I have RSA authentication to log in from home which consists of several characters of my choosing appended to a 6 digit number off of a key card that changes every 30 seconds. Assuming you don’t lose your key card to someone who can guess your other characters, it should be a lot safer than traditional passwords. Also, if you lose your key card, you usually know right away and have it changed. If someone steals your regular password, you don’t have a way of knowing it too quickly.

  30. Scoobatz says:

    I remember the good ol’ days when my password was “password”.

  31. Oranges w/ Cheese says:

    Use PasswordMaker extension!

  32. secretoftheeast says:

    When I need to come up with letters or symbols, I generally go a little toward leet speak to fulfill that requirement. If I have to constantly change the password (every month, for example) I sometimes prefix my password with numbers and postfix it with the same numbers, but hold down shift (which makes it symbols).

    For example: My main key word would be “secret” so the password I’ll enter would be 12secret!@. Once that expires, I would go 23secret@#. Kind of cheap but I figure it wouldn’t be easy to crack, especially if your password expires as frequently as mine does.

    I also considered getting a Mandylion password token, though it’s kind of cost prohibitive.

  33. corinthos says:

    I’ve been doing stuff like this for awhile. I used to do it with the website name like first four letters of website name, number of letters in the website name, my first and last inital, and last four of the website name. If website name is short I just do first and last 2.
    Like for here it would be cons11CMrist I had other methods too. For the longest time I used to use my computer or printer model number for websites I don’t care if someone takes my SN but would always come up for something else for email accounts. Sucked when I changed printers though and forgot to write down the model number eventually found an email for the warranty on it and got it back.

  34. RandomHookup says:

    One method you can use — sing a song.

    When you go to Facebook, sing “Whenever I see your smiling face…” WISYSF

    When you go to Twitter, sing “If happy little bluebirds fly beyond the rainbow…” IHLBFBTR

    When you come to Consumerist, you sing…you sing…you sing…oh, well. It seemed like such a cunning plan.

  35. Rectilinear Propagation says:

    I’m not even sharing what I do to generate passwords.

    But I bet there’s a whole slew of people using famous passwords. Right now someone’s password for Facebook is “Flibbertigibbet” or “Frisky Dingo”.

  36. sybann says:

    My company makes us change ours (and it needs to have a capital and a number and can’t be anything close to the last one) every damn 120 days. I rotate them. And I am lucky in that I have a great memory for strings of numbers or letters. Not braggin’ just saying. Even so – this drives me crazy.

    But I have 4 cats and 2 dogs so they figure in nicely – and make for an infinite amount of possibilities.

  37. SNForrester says:

    I think that sometimes it’s ok to use the same password for every site. My password here is the same one I use for many other sites. If someone guessed it, I wouldn’t really care. I consider it an insecure password and I pretty much use it for any website that doesn’t involve money or personal info. Why should I create a strong password for a site where there is really nothing of value worth losing?

    By all means, keep the bank, shopping, and email passwords secure… but don’t stress out over all the rest.

    Is this wrong?

  38. IphtashuFitz says:

    I make passwords out of street addresses. My personal one is based on where I used to spend summers growing up. If you have an address like “123 Main Street, Anywhere, NY” you can easily get the password 123ms,A,NY out of it using the numbers, first letters, and punctuation. I make the street lowercase & the rest upper.

  39. Murph1908 says:

    I do something similar.

    What F’s up this system is, some sites have limits to the length of the password, so my system doesn’t work for them.

    Also, if your system includes a special character, but the site doesn’t allow it (or vice versa), you’re boned too.

    But all in all, I like this system. I have 3 different phrases for 3 different levels of sites;
    1. banking and financial sites
    2. Standard, life won’t be a bitch if it’s cracked sites
    3. Porn

  40. jasonkarns says:

    That’s why I use OpenID through MyOpenID on sites that support it (unlike Consumerist. Get it together, guys. It’s not hard.)

    On sites that don’t, I use the PwdHash extension (they support Firefox, IE, and Opera as well as a website for logging on the go). It takes my generic password, combines it with the domain name, and hashes it. So only have to remember my generic password but I end up with site-specific passwords that look like gibberish.

    • Chris Walters says:

      @posaune: I set up my own OpenID at one point a year and a half ago, then kind of stopped using it. I hate to sound stupid, but here goes: I never understood what made it safer than other security systems, and could never find a good layman’s explanation of why it’s a better solution. Care to try?

  41. xamarshahx says:

    they brute forced their way in to my hotmail and then used it to get in to my paypal.

  42. Dennis says:

    For anyone just looking to store their passwords safely I suggest KeePass http://www.keepass.info, it’s safe, free, and open. That way you only need to remember one password.

    I find that it’s easy enough to remember the passwords you type most often, and for the rest I have KeePass…

  43. Ragman says:

    I wonder, if you take a highly restrictive password system that disallows so much in the password, would designing a brute force based on those requirements work?

    One could, while trying to create a legit account, test out passwords to see how restrictive the system is. Like if it disallows repeated characters, no dictionary words in the password, no common patterns, must have mix of certain character types. It would seem the more restrictive it was, the easier it would be to brute force a password.

    • Rectilinear Propagation says:

      @Ragman: Requiring numbers, symbols, and a mix of cases should make brute force harder because it increases the number of combinations you have to search for.

      I would also think that allowing dictionary words would make a brute force search faster too because it would check for those first before trying random combinations of characters.

      • Ragman says:

        @Rectilinear Propagation: Requiring them also eliminates having to brute through all alphanumeric characters alone. And I’m talking about allowing dictionary words WITHIN the password, not AS the password. A good system should not allow obvious things like “password”, “P@ssw0rd”, etc, but something like “T1Mpassword!!” should be.

        My point in my comment about enough restrictions making brute force possibly easier is based on restrictions I had at a job one time. They were so restrictive that I had to type gibberish and write down the password to remember it every 30 days. You couldn’t put any dictionary words within your password, no repeating chars, had to have an upper, lower, numeric, and special char, and couldn’t be a pattern like “1234” or “asdf”, couldn’t use the previous 6 passwords or anything similar to them. Length was 6 chars min, but I forget the max. Not that I’d expect most people to use a 15 char gibberish password that must be typed in every time.

        Besides, any decent system should lock you out or alert someone after so many failed password attempts.

  44. Mxx says:

    I use truly random passwords for all of my sites/accounts thanks to http://www.lastpass.com

  45. nobodyman says:

    Instead of initials, I typically go with two/three word phrases. Virtually all websites & operating systems allow spaces, so why not have your password be “The Consumerist rocks!”? It’s way easy to remember, but because it’s 22 characters long it would be very hard to crack using brute-force methods. Since you’re using multiple words, I imagine it would even be highly resilient to dictionary attacks.

    And, no, that’s not my consumerist password, but I *do* think it rocks :-)

  46. fatcop says:

    A piece of paper and a pen fixes this just fine.

  47. Anonymous says:

    This is bad advice. If you lose one password, the rest of your passwords are now just a character or two away from being cracked. Further, dictionary-based attacks are yesteryear–going over ever character combination is not as hard as it seems, and the systems I administrate regularly have brute-force attacks against them in which users with random, short passwords get hacked.

    The only solution is a password management program like 1Password. Have your computer’s login password be a good, long phrase, like “This password is far, far, far too long to crack, you fools!!”. Then 1Password bases its security on your knowing your computer’s login password and generates a long, unique string of random garbage for every site you visit.

    It’s the only way to do it these days.

  48. W10002 says:

    I used to use acronyms of my family myself. Now I pick something I’m obsessed with at the moment, and change the letters with symbols and numbers.

    For example, when The Dark Knight came out, I used ‘The Joker’ as my password, only changing it to tH3_j0KER. After 90 days, I would change it to another obsession, so I never use the same password twice.

  49. Chip Johnson says:

    The problem with this, as already stated, is that it’s still vulnerable to a brute force attack, and you’re still using a guessable algorithm. If someone learns your algorithm, they’ve got access to all your sites.

    There’s no good way for a normal person to really secure every site. The best way I’ve found is to have a unique, randomly generated, cryptographically secure username (when possible) and password for every site. This approach, however, quickly becomes unwieldy without a password vault program. These apps let you have the security of using unique, randomly generated usernames & passwords on different sites, without having to remember them.

    Password vaults are applications that keep the URL to the login form for a particular website, the username, and the password stored in an encrypted vault. You unlock the vault with a passphrase, such as “Password keyphrases are long and annoying beasts, but they keep me relatively secure,” or “Aunt Mabel’s rhubarb pie is delicious, but gives Uncle Jim gas.”

    The free password vault app, PasswordSafe, has tools to make it easy to copy & paste your passwords into webpages. The paid apps, such as 1passwd on the mac or Roboform on Windows, will integrate with your browser and act like a set of bookmarks, jumping straight to the site with your secure login.

    Once you’ve generated unique passwords for each site, and stored them in the vault, that’s it. Hell, I don’t even know the usernames & passwords for most of the sites I frequent.

    The downside is that you’d better keep a backup, in case your computer crashes with the vault. Most vault apps work great from a USB thumbdrive, though. I keep mine on my keychain, along with a copy of firefox & a copy of putty that both run directly from USB, so I can have an encrypted ssh tunnel running back to my home computer for secure browsing, and use any login-required site that I want to, all without touching the hard disk on the computer I might happen to be using.

    Password vault apps I’m aware of:

    Roboform for Windows. (paid)
    PasswordSafe, multiplatform. (free)
    1Passwd for Mac. (paid)
    Lenovo ships one with the Thinkpad series laptops that interfaces with a fingerprint scanner & will allow for two-factor authentication with password + biometrics. (Free if you’ve got a Thinkpad)

  50. mmmsoap says:

    Love the idea in the article, but their example is terrible. Essentially what they’re saying is, instead of coming up with unique passwords, come up with a unique way to generate a password out of a simple word/phrase (ie-the website name). That way you don’t memorize a long list, but instead a single operation that you apply to multiple things.

    My favorite method for creating passwords is to switch my keyboard layout. Since it’s pretty simple to set a keystroke combination to automatically switch back and forth, it’s easy to use on the fly. Then, I look down at the keyboard, and type my password, which comes out “garbled” on the other end.

    So, for my bank, my password is something simple like “mybank”. Once I switch the keyboard layout to Dvorak, however, it comes out as “mfxabt”.

    I can create a unique password for every website, and all I really need to remember is the technique and the website name.

  51. humphrmi says:

    line noise FTW

  52. GMFish says:

    Maybe it’s because I remember the patterns of phone numbers rather than the numbers themselves, but I’ll choose interesting patterns on the keyboard as passwords, which come out as being completely random.

  53. Quake 'n' Shake says:

    I just use “password.” It’s so diabolically clever, nobody would ever think of it!

  54. octopede says:

    I was doing something like this, but I realized that were anyone to crack my specific methodology (which was obscure but not difficult), they could use the underlying logic to get all my accounts. Now I use complex, patternless pwords for the important stuff; I keep an anonymous email account whose only function is to store these passwords with cryptic descriptors like ‘bank’ and ‘personal email’, should I forget them. After repetition, though, I’ve memorized the 4 most used, as complicated as they are…

  55. stanner says:

    I have my passwords tattooed under my eyelids. I thought that would be secure, but everytime I go to sleep, someone logs into my itunes account and buys a bunch of Clay Akins stuff.

  56. mzs says:

    I just do a pattern on my keyboard for everything important. When I change it I change the pattern slightly. It was bad when I was in Hungary and the layout of the keyboard was different and I realized that I did not know what my password was. The thing itself gets incorporated into the pattern. Say you had a password to foobarbank.com, it would start fbb, so then a pattern may become fBbrGg4Tt, see how that works.

    This is a nicer approach to the phrase since so many places put requirements on the passwords that would make them so that I cannot remember them. If I sit and look at the keyboard and think about the thing I can always come-up with a pattern that is memorable, related to the thing, and meets their requirements like 8 chars with symbols, numbers, and mixed case.

  57. cromartie says:

    Nonsense. Just use all asterisks. Works every time.

  58. deep.thought says:

    This isn’t good advice. Instead, go download a program called KeePass. You only have to remember one password to get into the encrypted database, which has all sorts of neat and effective ways to organize your login credentials, notes, web address, etc. More importantly, it has a random password generator that can be customized but automatically uses something like 27 characters, numbers, and symbols; that way you have a unique and virtually uncrackable password for every site, and you don’t have to remember any of them. For the few sites you need to access away from your computer, think of a long string that isn’t a word, and throw in a number/symbol here and there. Then change it every so often.

    • TechnoDestructo says:

      @deep.thought:

      Is this database stored on your computer or a remote site?

      While there may only be a few sites you NEED to access away from your computer, there can be a lot that you WANT to access.

  59. chrisjames says:

    You’re not much better off just appending numbers and letters to a reused string. Choosing a password from a remembered phrase like that is good, but each sensitive account should use a distinct phrase.

    Look up some security texts… or better, hop around the internet opening up fake accounts for a while. You’ll come across a few that won’t let you use your username as your password, but also some that won’t let you use your username as even part of your password. The reason is that dictionary attack are easy to update. Even an inexperienced offender is likely to add your username to his word list, and once they know one password, they’ll add that to the word list too. Combining that with a very shallow brute force method would yield the Wells Fargo (wf) and Facebook (f) passwords above.

    My opinion is that if you have a hard time remembering random strings of numbers, letters, and symbols–and who doesn’t?–then you’re much better off creating a unique and possibly random password for every sensitive account and writing them all down. I figure I’d rather write down every password in one place, and worry over keeping that list of passwords as secure as possible. It’ll be far easier for me to keep track of it than to worry if the Crocheter’s Anonymous forums get hacked, and my password stolen, which may be the same as or include part of my bank password.

  60. quagmire0 says:

    Seriously, this is not a bad idea for most people. It sure beats the old ‘password on a post-it’ on the monitor, or using your first name and a 1. :)

  61. jst07 says:

    After my email got hacked to send out a bunch of spam to my address book and other emails (nothing else destructive, thank god), I went nuts on security. So far I’ve favored using RoboForm which encrypts all my passwords with a master password. From there it generates all of my other passwords (12 char, uppers lowers & numbers). I do most of my computing off my computer, but I also have it on a USB key to take with me and my cellphone if I need to reference a password somewhere. This method is also safe against keyloggers unless it manages to log my master password and snatch the encrypted files as well. I would HIGHLY recommend robo form.

  62. Syrus28 says:

    I do something similar. All my passwords are derived from song titles with combination of upper/lower case letters, with a 4-digit number at the end. I have all my song-derived passwords written down as song titles, with the 4 digit password the last 4 digits of a fake phone number.

  63. Corporate-Shill says:

    I was born in 19xx, when I was 5 my telephone number was 123-3456 and my kitty was named Abcd Efgh.

    When I was 10 I attend Bob Jones School and lived 98765 Notmain St.

    Unless you KNOW me and really know me, you will not know each of these facts. And even if you know me, you still must know the combination of words and numbers I might use. At the same time these are easy things for me to remember.

    Mix and match fact sets and you have nice combinations of passwords

    9876AbcdEfgh3456 is an easy to remember 16 character number.

    BobJones19xx is a simple 12 character pass word.

  64. H3ion says:

    I use a mixture of two words, each in a language other than English (phonetic spelling), and the last four digits of a phone number I had some 40 years ago. Hey, it works for me.

  65. elislider says:

    for my more high-security sites (school, bank, personal email, paypal) i use a random string of characters i made up and just memorized. for everything else i use a word plus respective-site-related addons

  66. Chris Walters says:

    Wow, I didn’t know everyone would respond so much to this post. I personally use a base “word” that isn’t a real word, then apply numbers and characters to it based on the domain name. It was a bit convoluted at first, but now I can reconstruct the password fairly quickly, even for a domain I haven’t visited in a year or more. I made up a set of rules that allow for special characters, numbers, and capital letters, as well as special conditions to follow when a rule can’t be properly executed because of the site’s specific password requirements or when a password has to be changed frequently.

    It took a while to put it all together, but it was actually kind of fun to play around with. My only problem with it is my passwords right now are 8 characters long, and I’m thinking it’s time to come up with a new, more complicated set of rules to generate longer passwords.

    Is it wrong that I enjoy this so much? Because I do.

  67. DarkKnightShyamalan says:

    Amazing! I’ve got the same combination on my luggage!

  68. rte148 says:

    how about taking 2 of your most used passwords and combining them? I’ve used variants of a couple of passwords that I’ve used since 1985 with 100% success, according to my IT guys, what I currently use is as strong as you can get.

    Here’s an example: ibutps1985

    (I’ve been using this password since 1985)

  69. Aisley says:

    For password I use a phone number and a code. The “almost impossible” is to find out who’s phone number in what country, and what type of code it is.

  70. Melissa Vilardo says:

    does anybody here use clipperz?

  71. CRCError1970 says:

    I use AI Roboform… It has a function that randomly generates a password for you… Then it remembers it for you as well. I end up with passwords like “2MkjqO60Y7lA72PP” and “9QDsS3vlFq109yC7″

  72. Jesse William Fuller says:

    I wish more sites had one time password systems like paypal… I hear that WoW is adding a iPhone app that give you a OTP so you don’t have to have all those little keys on your key chain. Some sort of universal OTP system for mobile phones would be awesome…

  73. David Schwartz says:

    The problem with this technique is that if one of your passwords is compromised, they all are. Worse, a focused attack is possible.

    If I want your FaceBook password, I tell you about this awesome new site (that I actually control). I get you to sign up for it, look at your password, deduce your rule, and now know your FaceBook password.

    So the tradeoff for this technique is that you must trust every site you use it on with your access to every other site you use it on.

    If you use this for electronic banking and PayPal and also for your gaming clan’s forum server and that new porn site’s free access offer, you are not a very smart person.

  74. Thunderdome says:

    I go with a tiered approach.

    level 1 – easy and short pw for anonymous forum and blog posting accounts. It’s not the end of the world if someone guesses it.

    level 2 – same pw as level 1, but adds a few digits. Mainly used for logins that require digits.

    level 3 – a longer password for more personal information. Not as easy to guess. Also used for any site that just requires a longer password.

    level 4 – a wild and crazy pw for financial logins and similarly sensetive stuff. A combo of letters, numbers, symbols, and whispering.

    All in all, I have 4 passwords to remember.

  75. billlnv says:

    A strong passwaord should contain numbers, symbols, upper and lower case letters. Never repeat any part of your username in the password. Also, make sure that your paaword is at least 8 charachters long.

  76. Anonymous says:

    Use the serial number from a dollar bill, add special characters as you see fit. Keep the bill separate in your wallet until you’ve memorized the pwd. Once you’ve got it, spend the money.

  77. goodywitch says:

    Don’t forget to protect your password reset also. Test out what happens if you forget your password, create a fake ID and history for tat person, and use that person’s info instead of your real info.

  78. TristaNuggler says:

    Hi,

    For this exact problem I have created online password manager – a secure way to manage all the passwords without the need to remember much

    Check it out: http://paswd.appspot.com/

    Thank you,
    Adi

  79. David Rosado says:

    I love this idea. Consider doing things like putting the letters from the site name in different positions. Perhaps the F and B from facebook can surround your password, like fsob, or use the letters in an alternating pattern, like fsbo. Good stuff!

  80. Red Cat Linux says:

    I used to have one password that I changed little bits of, as the article suggests.

    The problem with passwords is not picking a good one that you will remember, it’s picking a good one that you can easily modify and meet password restrictions everywhere, AND you can still remember.

    One site will require you to use upper, lower, numeric and special characters in any combination and length. The next will do the same, but not these particular special characters. The next requires that the password not be longer than 8 characters.

    WTF. Bastages. Okay, here’s a different password. The next site only wants letters, is case sensitive, no numbers, and certainly nothing special. Okay… new password. The next site has a particular fetish about your user name, but doesn’t give a crap about your password, which it forces you to only use a 4 digit PIN for. Crap – okay, new user name and password for this one.

    So now, I have maybe 4 passwords that I use for personal accounts, not counting the 6 or 7 that I use for professional accounts. There are another 6 that I use for employee related accounts that my employer seems to sadistically enjoy forcing us to sign up for to get one tidbit of information or another.

    I now have a password keeper – the old school kind – a little notebook that I use to keep this stuff in. It goes with me everywhere.

    Why don’t I have an electronic password keeper? I did. I forgot the password to it. It wiped everything to protect me from myself.

  81. Norazi says:

    ive been doing this for years but never shared the technique with anyone since the more people that know and use the technique, the more vulnerable it becomes… Its kind of the same thing with firefox. I love and use firefox on all my machines but I don’t preach about it since the less people that use it, the less likely it will be targeted by hackers (the only reason IE is “less secure” is because more people use it so it is targeted by hackers more). It’s kind of a sort of elitism but hey this is the real world