7 minute read

The Problem

We’ve all heard the warnings that we should use a strong password to prevent others from guessing our password, and that we should use a different password for every account we have.

A strong password is simply a password that meets a set of requirements, such as being at least X characters long and includes numbers and/or small letters and/or capital letters and/or symbols. Many websites and services enforce that a strong password be used.

If you don’t use a strong password, it’s likely that your password can be brute force hacked almost instantly. Check how secure your passwords are here.

If you do use a strong password, it’s very likely that you use the same strong password (or set of strong passwords) for all of the services you use, simply because having to remember lots of passwords and which one is for which service is hard. This is very bad practice though, since if somebody gets your password they can access all of your services. There’s a lot of ways for somebody to get your password; from simply guessing it to software vulnerabilities like the Heartbleed bug, so you should try and always use a unique password for each service.

The Solution

My super smart coworker Nathan Storms posted a very short blog about his solution to this problem, which I’ll repeat and expand on here.

The basic idea is that instead of remembering a whole bunch of crazy passwords, you calculate them using an algorithm/formula. So instead of just using one password for all of your accounts, you use one formula to generate all of your passwords; That means instead of remembering a password, you just remember a formula. The formula can be as simple or complex as you like. Like most people, I prefer a simple one, but you don’t want it to be so simple that it’s easy for another person to guess it if they get ahold of one or two of your passwords.

The key to creating a unique password for each service that you use is to include part of the service’s name in your formula, such as the company name or website domain name.

The key to creating a strong password is to use a common strong phrase (or “salt” in security-speak) in all of your generated passwords.

The last piece to consider is that you want your salt + formula to generate a password that is not too short or too long. Longer passwords are always more secure, but many services have different min and max length requirements, so I find that aiming for about 12 characters satisfies most services while still generating a nice strong password.

Examples

So the things we need are:

  1. The service you are using. Let’s say you are creating an account at Google.com, so the service name is Google.
  2. A strong salt phrase. Let’s use: 1Qaz! (notice it includes a number, small letter, capital letter, and symbol)

A Too Simple Formula Example

A simple formula might be to simply combine the first 3 characters of the service name with our salt, so we get: Goo1Qaz!

That’s not bad, but howsecureismypassword.net tells us that it can be cracked within 3 days, which isn’t that great. We could simply change our salt to be a bit longer, such as 1Qaz!23>, which would make our password Goo1Qaz!23>. This puts our password at 11 characters and takes up to 50 thousand years to brute force, which is much better; Longer, stronger salts are always better.

There’s still a problem with this formula though; it’s too simple. To illustrate the point, for Yahoo.com the calculated password would be Yah1Qaz!23>. Now, if somebody got ahold of these two passwords and knew which services they were for, how long do you think it would take them to figure out your formula and be able to calculate all of your passwords? Probably not very long at all.

Better Formula Examples

The problem with the formula above is that it’s easy for a human to recognize the pattern of how we use the service name; we just took the first 3 letters. Some better alternatives would be:

Service Name Rule (using Google) [using StackOverflow]

Google Password

StackOverflow Password

Use last 3 letters backwards (elgooG) [wolfrevOkcatS] elg1Qaz!23> wol1Qaz!23>
Use every 2nd letter, max 4 letters (Google) [StackOverflow] oge1Qaz!23> tcOe1Qaz!23>
Use next letter of first 3 letters (G + 1 = H, o + 1 = p) [S + 1 = T, t + 1 = u, a + 1 + b] Hpp1Qaz!23> Tub1Qaz!23>
Use number of vowels and total length (3 vowels, length of 6) [4 vowels, length of 13] 361Qaz!23> 4131Qaz!23>
Number of vowels in front, length at end 31Qaz!23>6 41Qaz!23>13
Number of vowels in front, length minus number of vowels at end (3 vowels, 6 – 3 = 3) [4 vowels, 13 – 4 = 9] 31Qaz!23>3 41Qaz!23>9
Number of vowels squared in front, length squared at end (3 * 3 = 9 and 6 * 6 = 36) [4 * 4 = 16 and 13 * 13 = 169] 91Qaz!23>36 161Qaz!23>169

You can see that once we introduce scrambling letters in the service name, or using numbers calculated from the service name, it becomes much harder for a human to spot the pattern and decode our formula. You want to be careful that your formula doesn’t get too complex for yourself though; StackOverflow is 13 characters long and I’ll admit that I broke out the calculator to see that 13 squared was 169.

You can also see how easy it is to come up with your own unique formula. You don’t have to stick to the rules I’ve shown here (counting vowels and length). Maybe instead of counting the number of vowels, you count the number of letters that the Service name has in common with your name. For example, my name is Daniel, so “Google” shares one letter in common with my name (the “l”), and “StackOverflow” shares 3 (“ael”). Maybe instead of squaring the numbers you multiply or add them. Maybe instead of using the numbers in your password, you use the symbols on the respective numbers. If you don’t like doing math, then avoid using math in your formula; it shouldn’t be a long or tedious process for you to calculate your password. Be creative and come up with your own formula that is fast and easy for you, and/or mix the components together in different ways.

More Tips and Considerations

  • In all of my examples I placed my calculated characters before or after my salt, but you could also place them in the middle of your salt, or have your formula modify the salt.
  • Since some services restrict the use of symbols, you may want to have another salt that does not contain symbols, or formula that does not generate symbols. When you try and login using your usual salt and it fails, try the password generated using your secondary symbol-free salt.
  • For extra security, include the year in your formula somehow and change your passwords every year. If you are extra paranoid, or have to change your password very frequently (e.g. for work), you can do the same thing with the month too and change your passwords monthly. An alternative to this would be to change your salt phrase or formula every year/month.
  • Similarly to how you may have had a different password for sites you don’t really care about, sites you do care about, and critical sites (e.g. bank websites), you could have different salts or formulas for each.
  • If you are weary of using this formula approach for ALL of your passwords thinking that it is too much effort, then don’t use it for ALL of your passwords. Probably 85% of the accounts you create you don’t really care about; they don’t have any sensitive information, and you could really care less if somebody hacked them. For those, you can still use a shared strong password. Just use this approach for the remaining 15% of your accounts that you do really care about. This is a much better alternative than sharing a strong password among these 15%.
  • Some characters are “stronger” than others. For example, symbols are typically harder to guess/crack than letters or numbers, and some symbols are stronger than other symbols (e.g. < is stronger than $). It’s best to have a mix of all types of characters for your salt, but you might want to have more symbols in your salt, or when choosing the symbols for your salt you might opt for ones not on the 0 – 9 keys (i.e. <!@#$%>^&*()).

Why Not Just Use A Password Manager

With a password manager you can easily have unique passwords for all of your accounts, but there are a few reasons why I like this formula approach over using password management software:

  1. With password management software you are dependent on having the software installed and on hand; you can’t log into your accounts on your friend’s/co-worker’s/public PC since the password manager is not installed there. By using a formula instead, you ALWAYS know your passwords when you need them.
  2. Most password managers are not free, or else they are free on some platforms and not others, or they don’t support all of the platforms you use; if you want to use it on all of your devices you either can’t or you have to pay.
  3. Typically you need a password to access your account on the password manager. These types of “master passwords” are a bad idea. If somebody gets the “master password” for your password manager, they now have access to all of your passwords for all of your accounts. So even if you have a super strong master password that you never share with anybody, vulnerabilities like the Heartbleed bug make it possible for others to get your “master password”.
  4. Most password manager companies today store your passwords on their own servers in order to sync your passwords across all of your devices. This potentially makes them a large target for hackers, since if they can hack the company’s servers they get access to millions of passwords for millions of different services.

Summary

So instead of memorizing a password or set of passwords for all of the services you use, memorize a strong salt and a formula to calculate the passwords. Your formula doesn’t need to be overly complicated or involve a lot of hard math; just be creative with it and ensure that the formula is not obvious when looking at a few of the generated passwords. Also, you may want to have a couple different salts or formulas to help meet different strong password requirements on different services.

Happy password generating!

Comments

Greg

I love the idea. But I struggle with how to apply this for a set of work related passwords that require changing every x number of weeks (varies amongst services). Could use a formula for work passwords and a more static one for the rest of your pws. Very neat idea.

deadlydog

@Greg If you have to change your password every few weeks for work, you could incorporate the current month and year into your salt or formula for your work passwords. If you don’t have to change your password every few weeks, but every few months, maybe incorporate the quarter (i.e. Q1, Q2, Q3, or Q4) or the season (i.e. spring, summer, fall, winter) into your formula. Be creative ;)

Ramos

It’s a good idea, but it would be waaay overkill for me. I would literally sit for 5 mins calculating my password for service X before I could remember it and that would mean I just cba to login at all unless it was something work-related I got paid for.

A good long family of passwords containing members of the 4 big families(small letters, capital letters, specials and numbers) is enough for me. They are all related to a fantasy character name I only used in PnP roleplaying 20 yrs ago and that is utterly unique to me, unless someone was my childhood friend, which narrows it down to about 3 people on earth.

Your points are all valid, it’s not that; It just feels like SO much hassle and work for so little gain. I mean, if I had truely career-wrecking info on accounts that I wanted to keep, an old offline computer with offline backup drives stored in different geo locations would be better.

So how do YOU remember all this hassle and how long does it take you to calculate all the passwords?… Can you really be bothered in the long run and do you really never use lesser important services with “Remember me” cookies?

Thanks for a great blog btw, I follow you via RSS and it’s usually high quality reading, just wanted to get that out there too.

deadlydog

@Ramos Thanks for the great reply Ramos. You make a great point and are right that for probably 85% of the websites I’ve created an account on, I don’t really care about that account and don’t have any real or sensitive info on it. For those I just stick to using a generic strong password that is shared for all of them. It’s that other 15% though where this technique comes in very handy. I’m sure you have 10 or 15 accounts that have sensitive information on them, or that you really don’t want somebody else to get access to. It’s those account where this technique is very beneficial; you don’t end up sharing one or two strong passwords between all of them, and don’t have to try and remember 10 or 15 different strong passwords. For those people that are super paranoid, they can use this technique to generate unique passwords for EVERY account they create, but for myself and practicality’s sake, I only use this technique for the subset of accounts that I truly care about. I should have had a blurb about this in the article itself. Thanks :)

Rog

Very interesting idea and it totally makes sense. Unfortunately doing this feels highly impractical to me. Yes trusting a company to store your passwords locally and encrypt them securely should not be done light heartedly. I think together with 2 factor authentication it is a good system I can trust though. And having to spend money for a service like that? I’ll happily do that, why not?

Vipin

My dad is a smart guy, good at math, but isn’t very comfortable with computers and passwords. I’ve sent him a link to this page. I’m curious to see if this method helps him better manage his credentials for various sites.

Leave a Comment

Your email address will not be published. Required fields are marked *

Loading...