Torkil Johnsen

My personal piece of cyberspace

How to create—and remember—a different password for every single login

Posted in Security on Aug 18th, 2010

Here is a neat trick for how you can create and remember thousands of good, secure and UNIQUE passwords, using keys. No more identical passwords, and no more easily breakable ones either. Spend 5 minutes reading this blog post, you won’t regret it. Money back guarantee!

The problems

If you take security seriously, you’d want to avoid for instance simple, short passwords and passwords that can be found in a dictionary. If someone gets hold of a user database with your username and hashed password in it, it’s just a matter of time before it can be cracked. And if you use the same passwords on all your logins all over the internet, you’ll be in real trouble.

The challenge

  1. Use both small letters, capital letters, numbers and symbols, and combine this into a password with minimum 12 characters.
  2. Remember what you came up with in #1.
  3. Repeat process for hundreds of logins with equally complex passwords, and still remember them all.

The solution

Here is how…

1. Create a memorable password

Use some things you can relate to, stuff you remember, like a favourite movie quote, the first book you read, the number of dollars you stole from your mother that time, the opening lyrics to a song you once wrote, the first letters of the words of an opening sentence in a book. Anything goes!

I’ll take a piece of a quote from “The Long Kiss Goodnight“:
Alice, please. Your dog!

Note how I managed to get both a comma, a period and an exclamation mark in there.

Now, I take away the spaces, because spaces cause issues with lots of databases it seems, so I end up with:
Alice,please.YourDog!

2. Make the password more secure

“More secure” does in this case mean: Less dictionary words, more length and/or more complexity. For instance I have not used any numbers yet. So I’ll convert the A to a 4, because they look similar. It’s also a bit long, so to shorten it (and give my blog a bit more hacker-like credibility!) I’ll change “please” to “plz”, “Your” to “Ur” and “Dog” to “Dwg”, which is short for “Dawg”. (of course!) I end up with this:

4lice,plz.UrDwg!

Swapping A for 4 is a bit obvious perhaps and it feels like it needs more numbers. So since we’re talking about dogs, I’ll also add the age my first dog was when he died:

4lice,plz.UrDwg!12

That’s actually 18 characters long, so I’ll stop there before I scare you readers off. I’d recommend a phrase of at least 12 characters though.

Work the phrase like this, adding or substituting stuff, until you have something that looks like nonsense, but makes perfect sense to yourself. Don’t worry if it takes a long time to type. You’ll be typing it a lot in the time to come, so soon you’ll hammer it down in milliseconds.

3. Memorize it

Yes, you have to memorise it, sorry. It’s hopefully a hard one, but step #2 should however make it easer for you.

Oh, and keep it secret too!

4. Add keyholes

Here comes the part that makes it interesting. We are going to make parts of our password variable, by adding two keyholes. You can use one or five too, that’s up to you. A keyhole is an opening where we will insert keys. The keys are what will make our passwords unique.

Here, I’ve inserted two underscores to represent my keyholes:
4lice,plz._UrDwg!12_

These two keyholes will change according to where we are logging in. Keep reading, you’re almost there!

5. Add keys

Keys are what goes into the keyholes, and we want to vary these as much as possible. They need to be different, but predictable, so we determine these by rules.

Here are some examples of rules you can use to create keys for two keyholes:

  1. The first + second letter of the domain name of the website you’re logging into.
  2. The first letter of the first syllable of the sitename you are accessing + the capitalised first letter of the second syllable.
  3. The number of letters in the domain name + the first vowel in the sitename.
  4. The two last letters of the domain name + the two first letters of the sitename.
  5. etc…

Spend some time on this part to make one fun and unique rule for yourself. Keep this secret.

Rule #1 here was the first rule I tried when experimenting with this way of making passwords, and it is not very good. The reason is that I log in at many websites that have domain names that begin with the word “joomla”, thus my keys became “j” and “o” very often.

So base your rule on something that’s mostly static for each website, but not similar to many websites.

6. Start creating passwords

Let’s say I was going to use rule #4 with my password from above. My password, with two keyholes, was this:
4lice,plz._UrDwg!12_

If I was logging into digg.com, which has the sitename Digg. Using rule #4 then the two keys would be “gg” and “Di”, where “gg” are the two last letters of the domain name, and “Di” are the two first letters of the sitename. When I insert these two keys into my keyholes, I get this password for logging into digg.com (keys are underlined):

4lice,plz.ggUrDwg!12Di

Here are some passwords for some other sites:
joomla.org: 4lice,plz.laUrDwg!12Jo
wordpress.com: 4lice,plz.ssUrDwg!12Wo
drupal.org: 4lice,plz.alUrDwg!12dr
twitter.com: 4lice,plz.erUrDwg!12Tw
facebook.com: 4lice,plz.okUrDwg!12Fa

So I end up with 22 character long passwords, and most of them will be unique, and some will be the same, depending on the rules and keys you use.

Most important of all though: They will be complex, but I will still remember every single one of them.

7. Ideas to complicate things even more

For those of you who really want to be totally paranoid about it:

  • Use variable keyholes too. If the sitename starts with a vowel, add a keyhole to the front of the password. If not, add a keyhole to the end.
  • Base key rules on stuff that changes now and then. For instance a website’s main colour, or the number of main menu items it has. This will occasionally break your password, and you’ll have to use the “forgot password” function to reset it and change now and then, which can be a healthy thing to do.
  • Have different usernames too, but perhaps not too obvious, since these often are visible to others. “torkilDIGG” is not a too good digg.com password. When people also see my Joomla forum username being “torkilJoomla”, then they’ll know the pattern straight away. Numbers could be good though, like torkil4 for digg.com and torkil6 for joomla.org, since digg has four letters and joomla has six. It gives you some variation at least.
  • Keep a list of random keys. Yes, a list. Write them down. Your list could look like this:
    Digg: x76T
    Facebook: pOw2
    Stumbleupon: 99!b

    Only you would know what to do with these four characters. And then store this file in an encrypted format on a computer not connected to the internet, buried six feet under your house. ;)

Got any ideas on how to make a memorable but complex and unique password? An idea on how to obfuscate common words? Perhaps a genius rule for creating keys? A way to make things more complex? Share below!

  • http://twitter.com/joocode Flavio Copes

    No idea on how to make those passwords more memorable, but I found 1password a really great tool to use to manage passwords.

    It can generate very complicated passwords and store them so easily that it has become part of my flow after only 2 months of usage :) Can’t “live” without now.

  • http://torkiljohnsen.com Torkil Johnsen

    The password need not be as complicated as I have outlined. You could merely use your own last name and the zipcode for where you live, and then just insert keys into that. No software required, just a brain :)

  • http://torkiljohnsen.com Torkil Johnsen

    …the rule based password also works when you’re at an internet café in Thailand, or sitting on a bech in the park with your phone, and 1password is not there to help you ;)

    I’m telling you man, it’s gold! :)

    • Linus Pettersson

      That’s when 1Password for iPhone is handy. And syncing over dropbox. Works awesome :)

      • http://torkiljohnsen.com Torkil Johnsen

        So with no laptop and no battery left on your phone, and only a webbrowser on an internet café available? I’m telling you man, don’t become addicted to the password manager software ;D

        • Linus Pettersson

          Hehe I don’t think that will happen. And IF it does, I think I’ll be OK anyway :)

          And your way you will have lots of very different passwords anyway considering that everyone has their own password rules with X characters, special characters, numbers and so on. I think I would end up using the pretty much the same password again.

          I do have my bank password and some other super important passwords in my head. So I’ll have to remember like 3 passwords in case I get stuck in that internet café without a laptop/phone. The rest of my passwords I use 1Password for.

          I think the best way is just that. Create some rememberable passwords that are still secure and remember those. Why not create them as you describe above, it seems like a good way :) But the rest… Use 1Password or something similar.

          • http://torkiljohnsen.com Torkil Johnsen

            50% of my password repeats itself, the other 50% are seemlingly random, but in a system that only I know. Invaluable, and a great timesaver, when I need to use 10-20 different passwords during a working day.

            I should probably check out 1Password before criticizing it, but isn’t it kind of a weak link in your security in itself? It sounds a lot like storing all your eggs in one basket? What if your computer is stolen and they dig out your master password? That’s just one password better than storing all your passwords in your webbrowser.

  • Anonymous

    Some sites don’t allow punctuation in passwords. And some have a max password length as small as 8. Few sites I use allow 22 character passwords.

  • David

    Another way to complicate passwords without making them hard to remember, at least for touch typists: use a plain old dictionary word or phrase, but move your hands off home row when you type it. Maybe your left hand one key to the right and your right hand one row up to the left, making your home keys g and u instead of f and j. Play around with positioning until you end up with some numbers and punctuation, then you have an easy to remember password that looks like complete gibberish when you type it.

  • http://torkiljohnsen.com Torkil Johnsen

    True! Some websites and webapps do indeed purposely make you thwart the quality of your own passwords. Most sites I use though, don’t.

    22 was a bit over the top, agreed ;)

  • Anonymous

    Interesting method, I too have some kind of system to generate strange looking passwords. I start with a long sentence that I made up and I know I will remember, for example: “This is a very long sentence that me and only me will know.” From this sentence I take the first character from every words, so it becomes: “Tiavlstmaomwk”.

    From there I add a few numbers, capitalizations, etc based on rules that only I know. My passwords normally ended up 12 characters long or more.

    To defeat keyloggers I also force myself to copy paste certain additional chars that I keep in my gmail account.

    I have only 2-3 ‘master password’ like this, the rest I use http:///www.lastpass.com to generate.

    Your suggestion to use ‘keyholes’ based on domain name is good too.

    Cheers.

  • Anonymous

    Believe me, a banking website in my country limit the password to 6 chars only. Probably there were some technical restrictions that forced them to limit to 6 chars but needless to say I have stopped using that bank.

  • http://torkiljohnsen.com Torkil Johnsen

    Nice point there about defeating keyloggers.

  • jo

    Another Point of View

    Digital Domain – A Strong Password Isn’t the Strongest Security – NYTimes.com

    http://www.nytimes.com/2010/09/05/business/05digi.html?src=me&ref=business

  • http://torkiljohnsen.com Torkil Johnsen

    I like it, and especially the point about letting systems taking responsibility for security, to improve usability and allow shorter and easier-to-remember type of password:

    “If an account is locked for 24 hours after three unsuccessful attempts, a six-digit PIN can withstand 100 years of sustained attack.”

  • Werner

    Maybe have something about how changing passwords which are good, is not necessary? http://isc.sans.edu/diary.html?storyid=7510

    • http://torkiljohnsen.com Torkil Johnsen

      Good point! Would probably make sense if you were using the same password in lots of places. I still remember that Win 2000 system back in school where you were required to change password every month or so :P

  • Pingback: Torkil Johnsen » Collection of Joomla Security Tips

  • Fedroz

    I take a common phrase that has numbers, take the first two letters of each word and write the numbers. For example “Is the glass half full or half empty?” so the password is:    isthgl1/2fuor1/2em?
    To defeat keeyloggers I omit a few chars when typing and then I click the right positions and fill the missing chars.
    Your keyholes idea is great.

  • http://torkiljohnsen.com Torkil Johnsen

    A really great point from XKCD.com:
    http://xkcd.com/936/

    Combine that with some sort of keyhole solution to make different passwords for each login. History has shown that even seemingly serious companies may store your password in cleartext. Yes Sony, I’m looking at you.


Creative Commons License
This work by Torkil Johnsen is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.