By Matthew Canning, Become Better at Everything Founder
When it comes to passwords, there’s a delicate balance between security and sanity.
Most of us have created dozens—if not hundreds—of passwords. Even if you don’t need to remember them all (tools exist for securely managing your passwords or allowing access to many different sites with a single master password), you should have a unique password for each website or app you use. Otherwise, if someone were to gain access to one of your passwords—even for something unimportant—they’d then have access to important things like email and banking sites. So how do you create hundreds of unique passwords without losing track of them all?
One option is to use a two-part algorithm.
Part 1: The Constant
First, come up with a personal “constant” that will remains the same for all your passwords. For example, you could choose a specific word, like “Desmond,” the name of your first dog (rest in peace, homey). You can follow this up with a set date, like “0421,” your mother’s birthday (try to remember it this year). You end up with a constant of “Desmond0421.” You can then begin or end every password with this. For the sake of this post, we’ll begin with the constant.
Part 2: A Unique Key
Next, to make each password unique to a specific site or app, add a “unique key.”
Let’s start with a basic example: You can begin your key with the first three letters of the website or app’s title (capitalized). For example, you can use “GOO” for Google.com; “SOV” for Sovereignbank.com; and “AMA” for on Amazon.com. By including this unique key, these examples would result in, respectively: “Desmond0421GOO,” “Desmond0421SOV,” and “Desmond0421AMA.”
So far, so good. You’ll always remember your constant, and by following the same system for the final three characters, you’ll create passwords that are both unique to each site and easy for you to figure out.
However, should a crafty criminal get his hands on your Google password, he may be able to guess your system from “GOO” and then try “SOV” on Sovereign’s site. Bad news. Beef up the security by doing something more interesting with the unique key. For example, you can decrement each letter by one: “B” would become “A,” “C” would become “B”, etc. You can’t decrement the letter “A,” so any “A”s will either have to remain untouched or turn to “Z”s.
Instead of using the first three letters of the site title as mentioned, you can use the last three letters or decrement the first letter by two and the final letter by one. You can place the title letters in the middle of the constant. You can include the number of characters in the domain name, divided by two and rounded up to the nearest whole number. You get the idea. Come up with an algorithm of your own—something a bit more clever than what’s described above. My personal algorithm is far more complex than what is described here, but realistically, a little caution and obfuscation can go a long way. Whatever you end up doing, make sure that the algorithm is:
- Simple enough for you to remember, but
- Complex enough that if someone were to stumble upon two of your passwords, they should still be unable to figure your system out (though they may note the presence of the constant in both cases).
If implemented properly, you shouldn’t need to remember any individual passwords—just the method by which you figure them out.
Some Quick Notes
Before wrapping up, let’s touch upon a few small details.
By beginning your constant with a capital letter, making it longer than eight characters, and having it contain both letters and numbers, you cover most common password requirements. For special cases—like systems that require passwords to contain a specific number of characters—I’d suggest keeping a file somewhere that tracks this information in a way that only makes sense to you. Write yourself a coded note that tips you off about the nature of the password rules. That way, if you enter a password that should be correct but are denied access, you can quickly look the site up and know what to do.
For instance, let’s say your password for MattsMusicBlog.com needs to be sixteen characters in length, and your normal algorithm produces twelve. Your file can contain the line, “mattsmusicblog.com +4 g.” This lets you find the site by searching the document and then tells you that you want to add four “g”s to the end of your normal algorithm-derived password to fill in the four additional required characters. If it says “mattsmusicblog.com only 7,” you know to enter only the first seven characters of your algorithm-derived password.
This file can help in other ways; while some systems allow you to create a username (like MikeJones1001 or PandaFan646), others force you to use an email address to sign in. This file can have information about the nature of the username or email address without explicitly naming it. “mattsmusicblog.com mj” could remind you to use your MikeJones1001 username for MattsMusicBlog.com and “newegg.com @g” could remind you to use your Gmail email address for Newegg.com.
On-Demand Swapping vs. Password Day
Once you’ve settled on a new algorithm, you have a few choices:
- You can simply change your passwords as you find yourself logging into services over time, or
- Sit down, try to figure out every service you use, and spend a day listening to your favorite tunes and changing all your passwords.
The latter may be a bit tedious, but you may find that it pays off in the long run. Good luck and happy passwording.