If you try to use the same password on as many sites as possible then you are committing an ultimate sin and you will pay the price for that my friend.
I absolutely hated creating new accounts on websites and apps. Why? Passwords! ##&@#. If you don’t share my contempt then you are doing something seriously wrong.
What’s wrong with using the same password everywhere?
If you try to use the same password on as many sites as possible then you are committing an ultimate sin and you will pay the price for that my friend. Imagine using the same key on your bicycle lock, shed lock, house key, car key, vacation home, and luggage lock. Now, give copies of that common key to multiple strangers. The valet you gave your car keys, now can access your home by making a copy. You lose one key, now replace or re-key all those locks. If you still want to use one password everywhere then stop reading this right now. Close your eyes and bury your head in the ground.
What about password managers?
Ok, so you are still reading. If you don’t use one password then how in the world will you remember all those unique passwords, you ask. Many experts will advise you to use a password manager app or software which will create and remember strong passwords for the apps and sites you use. You will have to remember only one password to the passwords manager and it will populate the login forms for you automatically with the correct unique password for the site you are accessing.
Albeit, using password manager is a better choice than using the same password everywhere, this advice has its own perils. It is like putting all of your keys in a safe and carry the safe key with you. First, if your master password for the passwords manager gets hacked then you are doomed. Second, it is inconvenient, if you don’t have the password manager on a new device. If you fall victim to the phishing attacks or a malware recording all the keystrokes on your system then you won’t even know until it is too late. All of your accounts managed by the password manager would be compromised simultaneously.
A better solution?
I think that there is a better solution than using password managers. The solution is to use a password making strategy which would utilize the first 4 letters of the website or app name and mix those with a 6 secret letters of your choosing and a couple of numbers and special symbols. These same secret letters, symbols and digits would be used for all of your online accounts. The password making strategy would have to be a little more complex to avoid making it obvious. If you are knowledgeable in security then probably you have already dismissed this approach as naïve and not secure. I urge you to stick with me and carefully analyze the strategy. I know what I am talking about.
The scenario I am protecting you against is that one of the websites you had an account on had sloppy security practices and got hacked. Now the hacker knows your actual password. The hacker can go and try the same password on other websites randomly using your email as a username.
If you trust me, which you shouldn’t, skip the following paragraph of technical explanation.
Use password derivation strategy using the website’s name
If the attacker knows that you are using letters from the website name then using those letters doesn’t really add to the computational complexity of password cracking. The key thing is to not use letters from the website name directly. Instead, change the letters in a way which makes it hard enough for the attacker to guess which letters in the password were derived from the website name. This way, knowing one password from the compromised website will not allow attacker to guess your password for another website. In addition to the 4 website letters you would have to mix at least 9 other secret letters, digits, and special characters. These 9 secret characters will provide necessary security in case the attacker is trying to crack the password hashes and already knows the strategy you use for using the website letters. Just make sure that these 9 secret characters are not made of dictionary words or obvious sequences of letters.
Good Password Derivation Strategy Example
Strategy given here is only a an example. It is best to come up with your unique strategy.
Website: Amazon.com
Derivation strategy for the name-derived letters: Take first 4 letters and substitute each letter with its following letter in the alphabetical sequence.
Name-derived letters: bnba
Strategy to derive the secret letters: First letter of every word of your chosen phrase, dialog, quote or line of poetry. Ex: “Miles to go before I sleep” will give you “mtgbis”. Capitalize one letter of your choosing.
Secret letters: mtgbiS
Secret digit: 3 (Tip: if you are ever forced to change the password and can’t reuse previous passwords then switch to the next digit after your secret digit for the new password. After digit 9 you can switch to 10, 11, 12 and so on.)
Secret symbols: ! and _ (Tip: Choose special symbols from the following “~!@#$^*()-_=+[]{}|,.?” and not from “`'”/|<>&%” because some websites don’t allow some special characters in passwords due to weird reasons.)
Mixing strategy: Alternatively take 1 letter from the secret letters and the name derived letters. After you have used all of the name derived letters then alternate with special symbols and then put the secret digit at the end.
Final password: mbtngbbai!S_3
WARNING: DO NOT USE ABOVE PASSWORD BECAUSE HACKERS MIGHT READ THIS BLOG POST AS WELL.
Bad Password Strategy
Note: Following strategy is shown here as a bad example. Don’t use these kind of strategies which use any personal information or are very simple.
Webite: Amazon.com
Derivation strategy for the name-derived letters: Take first 4 letters and don’t substitute letters. WARNING: DON’T USE THIS STRATEGY BECAUSE IT IS TOO SIMPLE.
Name derived letters: amaz
Strategy to derive the secret letters: First letter of name of your kids. “Cvd”. Capitalize first letter for your oldest child. WARNING: DON’T USE THIS STRATEGY BECAUSE IT USES PERSONAL INFORMATION.
Secret letters: Cvd
Secret digit: 3
Secret symbols: % (WARNING: DON’T USE THIS STRATEGY SINCE % CHARACTER MIGHT NOT BE ALLOWED ON SOME SITES. )
Mixing strategy: Put name derived letters in the beginning together. Then put secret letters after them. Then put secret symbol and secret digit. (WARNING: DON’T USE THIS STRATEGY SINCE IT IS TOO SIMPLE. )
Final password: amazCvd3%
Is it worth it?
Above good strategy might look complex and you might be wondering if it is worth the effort. I think that it is definitely worth spending 15 minutes of your time to come up with your own password strategy since it will save you lot of time in resetting forgotten passwords. It will also keeps your online accounts more secure.
As a bonus, it will also give your brain cells some workout to avoid dementia.
I have been using derived passwords for long time and didn’t get hacked so far. It just takes few days of practice and then your brain will do it without breaking a sweat.
FAQ
(To be honest, nobody ever asked me these questions so may be this section should be called NAQ instead of FAQ)
What if I run into a website which doesn’t allow my chosen symbol?
Sooner or later you will run into such website and then you will have to substitute that symbol with a number or a letter of your choosing. This will complicate things since you will have to remember that this particular website doesn’t allow that symbol and substitute that symbol.
What if I run into a website which doesn’t allow more than 11 or 12 characters?
For some unthinkable reason, rarely there will be a website which will limit the password length to such a low number as 10, 11 or 12. Don’t use those websites if you can help it. They are a disgrace. If you have to use them absolutely then just skip 1 special symbol or shorten your secret letters from 6 to 5. This will reduce security of your chosen strategy a little bit theoretically. Practically, it wouldn’t make much of a difference.
What if I have to change my password so many times on different websites that I cannot easily keep track, on which website I used which digit for the current password.
Hmmm. You got me there. That is the biggest drawback of using this password strategy that you will have to remember which sequence number you are using as your current password. If you want you can keep a digital list on your phone telling you which website is using which sequence number. This list would not be very useful to anyone except you. In addition, you should change your password strategy every year and change all existing passwords to new strategy. This way you will not run out of increments to the password. Also, it will provide additional security.
What if the website name itself is less than four characters long?
In that case, you can just use 3 characters from the website name and skip the fourth character.
Very useful. Will definitely be trying this out!