With the Internet collectively freaking out about the Heartbleed bug (a major Internet-wide security hole that could mean various passwords (and other information) have been nabbed off of “secure” servers) this week, I though I’d share a password system I use to have a unique password per site / account that I can easily remember:
- Pick a base. This is what most people think of as their one password to use for everything. Say mine’s “dogemanguy”.
- Make it better. You should include numbers, symbols, and upper case letters in your password, and not use dictionary words. So my “dogemanguy” password can become “D0g3M4nG0i!!” (those 0’s are zero’s, not an upper-case o’s). This password should pretty much max out any “how good’s your password?” test.
- The important part — mix it up per site. So here’s the trick I’m talking about, and why I’m personally not worried about the Heartbleed bug. Take the name of the site you’re creating the password for, and intersperse the letters of that name into your base from step 2. So if my step 2 base is “D0g3M4nGoi!!” and I’m making a password for “Facebook”, I would take the first letter of each, then the second letter of each, and so on, and get “DF0agc3eMb4onoGkoi!!” Again, that’s comprised of every other letter of each, like so: “DF0agc3eMb4onoGk0i!!” and “DF0agc3eMb4onoGk0i!!”
- One step further: Don’t literally use the site name. The big shortcoming of step 3 is that, if someone gets your (for example) Facebook password and notices the phrase “Facebook” sprawled throughout it, they could figure out the system and guess that you might have “Gmail” sprawled through that service’s password (especially if this method becomes more common). One solution here is to have a system where you keep a list of matches, like “Facebook -> Mom’s maiden name,” and then you use that matched term as the phrase you’re interspersing into your base password, rather than literally “Facebook” (or whichever site name). The big important note if you’re going to keep a master list somewhere is to never ever write down your passwords ever, or even parts of them. The point of this whole system is that your brain is the cipher and only you should be able to untangle the mess of your new passwords. That’s why I write “Mom’s maiden name” rather than (for example) “TheAwesome”. So if I forgot my Facebook password, I would look at my matches list, see that Facebook is matched with mom’s maiden name, know in my brain that it’s “TheAwesome”, and end up with the final, ridiculous, and ridiculously secure password “DT0hgeeAMw4ensGo0mie!!” (“DT0hgeeAMw4ensGo0mie!!” + “DT0hgeeAMw4ensGo0mie!!”
You end up with a password that you can “easily” remember or reconstruct using these rules, looks like total gibberish, is likely completely unique in this website’s passwords database (protecting you from hacker methods like using a Rainbow Table to reverse-engineer your password if it’s based on common words), and moreover is completely unique in your password repertoire, so if somebody gets your Facebook password, they only have your Facebook password. Much better than using one password for everything.
This solution comes down firmly (but not absurdly so) on the security side of the security-vs-convenience spectrum. Yes, it’s a lot more complicated than just having a single easy to remember word that you use as your password for every site, but it’s also much, much more secure. At the end of the day, especially this week, I’m very happy to be on the secure side of the spectrum.
One thought on “Write really good passwords; avoid the collective security freakout”
Thanks for all the great tips, Jono! I think #4 is a particularly good idea, as it’s tempting to just use the name of the site in your password when using this method. Will put these to use myself 🙂