Creating one secure password is easy, but does not solve the problem of remembering all your passwords.
Here is a system that lets you remember all your passwords without having to rely on a password manager.
The most fundamental challenge with password is to select a hard-to-crack password but that is just one of many challanges. Here is a list of challanges that cover the most common challanges.
- Must be hard to crack using common password cracking techniques.
Here is the common advice to have a long password, and not a very common password like ”password”, ”password123”, your name or any regular word. A long password (~16 characters) takes thousands of years to crack with normal computer systems and is generally safe from brute-force password cracking. - Easy to remember
Don’t take a word and change every ”e” for a ”3” or similar. That is hard to remember. The common advice is to combine several common words, like ”correct horse battery staple” - Don’t reuse passwords.
Expect any single password to be compromised. There are several ways to get a password compromised. A system can be broken into, you could be tricked to give your password away or someone could just read over your shoulder.
If you use the same username (for example, your email address) and password on many different places, having one password compromised breaks all passwords.
If a system uses multifactor authentication, that helps. But not all places do. Therefore, don’t reuse passwords. - Keep up with password change requirements
Many system administrators require regular password changes, even if this have been shown to not improve security. As a user, you need to keep up with this. - Complexity requirements.
Often, you are required to have upper and lowercase letters, numbers and special characters. It is questionable if this improves security.
The most common advice is regarding passwords is to use a long password, but that only helps with the first problem – not the full scale of the problem of maintaining all your passwords.
The second common advice is to use a password manager to manage your passwords. That is a solution that addresses most of the problems, but it also creates a security problem. Can you really trust the that password manager stores your passwords securely? And are you OK with being reliant on your password manager to be able to log in?
The non-obvious solution here is to not remember passwords at all, but instead remembering how your passwords are constructed.
Here is how you can do that.
Example 1
Assume that your password for your Twitter account is is ”.$CorHorBatStaTwEr01”.
This is a password constructed with a easy-to-remember algorithm.
”.$ + CorHorBatSta + TwEr + 01”.
.$ : This is special characters, the purpose of those is to fulfil complexity requirements.
CorHorBatSta : This is the first three letters of every word in the easy-to-remember word sequence ”correct horse battery staple”. The main purpose of this part of the password is to provide a easy-to-remember and difficult-to-crack base of every password. The uppercase letters also satisfies some complexity requirements.
TwEr : This is the part of the password that is site-specific. TwEr is the first and last two letters of Twitter. For Facebook, that would have been ”FaOk” or ”GoLe” for Google.
01: This is a sequence number. Just increase it when a site requires a password update. Make sure to update the sequence number everywhere so that you don’t need to keep track of several sequence numbers. You don’t need to start at 01. You don’t have to use numbers, you can also use letters as the sequence number.
With this method, you Twitter password is ”.$CorHorBatStaTwEr01”, your Facebook password is ”.$CorHorBatStaFaOk01” and your Google password is ”.$CorHorBatStaGoLe01”. The password is uncrackable with common brute-force technology and
Example 2
Here is another example with another algorithm.
Assume that your password for your Twitter account is is ”twer!flowerbee64AA”.
twer : This is the part of the password that is site-specific. twer is the first and last two letters of Twitter. For Facebook, that would have been ”faok” or ”gole” for Google.
! : This is special characters, the purpose of those is to fulfil complexity requirements.
flowerbee64 : this is the easy to remember password base. Maybe you are born in 1964 and envision yourself a a bee, visiting multiple flowers? The numbers also fulfils complexity requirements.
AA : this is the sequence number. If your passwords need to change, update to AB. Being uppercase, this also fulfills complexity requirements.
Your corresponding Facebook and Google passwords would be ”faok!flowerbee64AA” and ”gole!flowerbee64AA”.
Other password management tips
- Always use multifactor authentication or two-factor authentication (2FA) when possible. Google’s authenticator (play store, app store) have some vulnerabilities but is easy to use and can have the same accounts on multiple devices. Do you have multiple phones and/or tablets? Put the authenticator on both and export the accounts. Raises the security a lot over a just a password and still very convenient.
- Keep your most important accounts and passwords written down, and make sure someone you really trust can access them. Something could happen to you that requires help.