My buddy Christian recently asked me about my personal password creation algorithm, which is something I’ve mentioned a few times (including once or twice at a Refresh Austin meeting). After doing a quick walk through with Christian over IM, it seemed appropriate for me to write it up in a more legible format so others can benefit.
It all comes down to this: you want a memorable, but complex password to use on the Web. Ideally it isn’t the same on every site you access to ensure that one compromised Web site doesn’t leave every one of your other accounts open to nefarious evildoers.
Short & Sweet
This post is longer than I anticipated, so here’s the bit-sized version.
- Start with a memorable phrase.
- Strip spaces, substitute a few characters (‘e’ becomes 3) and play with letter case. You will use this base to create the same foundation for each site’s password.
- Use part of the domain to modify the base, creating a unique password. This example uses the first and last letter from www.amazon.com. Ignore subdomains (‘www’) altogether. Every site will use this same pattern (first and last letter, no subdomain) to fill out it’s password.
- Add some complexity. In this case we add a number (’22’) and a dash at the beginning and a question mark at the end. This becomes a part of the base for all passwords, just like the initial phrase.
- Examples from different domains: www.microsoft.com, www.facebook.com and store.apple.com.
I recommend you read the full post as I give other examples and provide a couple of usage tips throughout.
There are a few simple steps to achieve these goals.
Start With a Phrase
For this first example, we’ll use the title of a seminal jazz album, Miles Davis’ “Kind of Blue“.
Formatting and Substitutions
Let’s begin by removing the the spaces as most login systems won’t accept them in your passwords. We now have
KindofBlue. Next, we’ll do some simple substitutions of numbers for letters (the capital “O” in “of” becomes a zero and the ‘e’ in “Blue” becomes a three) and play with capitalization, which results in
kind0fBlu3. This isn’t that complex, and the number-for-letter substitutions is easily recognized (and broken), but it should be easy for you to remember.
Making it Unique per Site
This is where it gets more interesting and more secure – we’re going to take a bit of the Web site to use in our password. In this example, let’s take the first letter and last letters of the domain and insert ‘em at the beginning and the end of our password. So for www.amazon.com the password is
akind0fBlu3n. For the Apple Store (http://store.apple.com/us) it is
akind0fBlu3e. You’ll notice that while they are similar (the only difference is the last letter), they are different, so if someone learns your Amazon password, they can’t get into your Apple account unless they deduce the overall pattern.
You should only use the main part of the URL (amazon.com, apple.com). Ignore subdomains (“www.”, “store.”) as you will likely only have one account on a domain, but the domain may have several subdomains. This keeps life much more simple for you.
Rounding it Off
I like to add a couple of extra touches to make my password a bit more complex and to make it more difficult for someone to recognize that there could be a human-readable pattern. Continuing with our example, we’ll add a number (22) and a dash at the beginning and a question mark at the end, which generates
22-akind0fBlu3n? for Amazon. These latest additions don’t change from domain to domain, so you don’t need to memorize a bunch of different patterns. For example, the password for Microsoft’s site would be
A note: Some login systems don’t allow punctuation, so it’s handy to stick it at the end or at a specific spot. For a domain that won’t let me use the dash or question mark, I know to delete the third character and the last character of my normal pattern resulting in
22akind0fBlu3n for Amazon.
The sample I used above is pretty simple, and easy to recognize as a word or phrase. A better pattern would be to use a sentence or phrase and take the first few letters of each word as your base and/or shortening words. Sticking to our musical theme, here are a couple of ideas:
“Dance Me to the End of Love” by Leonard Cohen
We could take the first two letters of each word:
dametothenoflo which with some substitution and additions becomes
9+adam3tothenofl0n! for Amazon and
9+mdam3tothenofl0t! for Microsoft.
“Little Red Corvette” by Prince
We can get a bit more creative here and substitute “Lil” for “Little” and only use the first three letters of “Corvette”:
LilRedCor. As before, finishing out the pattern could result in
00=aLilredcorn! for Amazon.
Of course you don’t have to choose the first and last letters from the domain, you could choose the second and third (assuming the domain is longer than two letters) or you could take the first letter and put it at the end and take the last letter and put it at the beginning.
A Couple of Notes
I didn’t come up with the idea, and I no longer recall where I first learned of it, so while I have adopted it wholeheartedly, someone smarter than me deserves credit for it.
This is not foolproof and I am not a security expert. Following this pattern means your password is not truly random and someone who has access to your account on one system and is clever enough, could determine how it works and get into other systems. That said, it is at least more secure than not using a system like this.
I recommend creating and using a few of these patterns to reduce the risk that breaking one will allow somebody to access every account you have on the Web. For truly important sites (your bank account, anywhere that stores your credit card numbers), you should go with a random password generator paired with a secure password manager, like my personal favorite 1Password (Mac only, I’m afraid).
So, how can we improve this practice and how do we ensure that this is something that non-technical people can use to be a bit safer online?