Home
If you're like most computer-using people, you have about four hundred different passwords for various accounts. If you're smart, those passwords aren't all the same. You don't want a thief who gets one of your passwords to effectively have all of them. Is there a solution to this problem that doesn't involve technology? Could one come up with a scheme for remembering all four hundred passwords even if each was different?

Allow me to describe one potential solution. Then, according to tradition, you can tell me how stupid it is. Consider the idea that follows as nothing more than the inspiration for you own better idea that you will triumphantly put in the comments.

Here's my idea: Suppose that instead of remembering a password, you remember a formula for how you created the password in the first place, and that formula applies to all of your passwords for every system. In that case, all you'd need to remember is one formula instead of four hundred passwords. Allow me to give you an example.

Suppose, just to illustrate the idea, you decide that your personal formula for creating all of your passwords is always comprised of the following components:
  1. The first letter is for the type of service. F might be for financial services, such as a banking or investment account. G might be for game accounts. E might be for email, and so on.
  2. Next is the first three letters of your birth city.
  3. Next is a two digit number based on the alphabetical order of the first two letters of the service's name. For example, AOL starts with an A, which would be 1. The letter O is the 13th letter of the alphabet. Together they are 113.
  4. The last digit would be the sum of the numbers generated by step 3. In this example that would equal 1 1 3=5.
Your formula would be your own invention, and potentially different from every other person's approach to passwords. If someone steals one of your passwords, the thief is unlikely to guess what formula you used to create it. In theory, if an experienced code-breaker got ahold of perhaps three of your formula-derived passwords, and he had lots of information about your personal life, he could deduce your master formula. But that's asking a lot of your common password thief. And realistically, if someone gets three of your passwords, the thief either lives with you or stole your laptop, so you have bigger problems.

The most obvious risk with the formula approach is that if it became widespread, some people would create formulas that are too easy to deduce, such as their cat's name plus the first two letters of the online service. But that's not your problem.

The second problem is that all of your formula-created passwords would be awkward and hard to remember. You'd have to apply the formula in your head almost every time you wanted to enter a password. But that's how passwords are supposed to be. That's more of a feature than a bug.

With the formula approach, you'd have an extra complication with services that require you to change your password periodically. And you might want to change an individual password now and then for your own reasons. Those new passwords would be off formula, unless you added a version number to the end. That way, if your formula doesn't work, you next try it with 1 at the end, then 2, and so on. It's not a perfect solution, I know.

That's my craptastic idea for today. I call on your collective genius to fix all that is broken with this idea and make it a winner. When you tell me how you'd approach this problem, remember your solution must meet these criteria:
  1. The formula must always work and be unambiguous.
  2. The formula must not be obvious for a thief who sees one or two passwords.
  3. The formula itself must be easy enough to remember.
  4. You need a way to deal with password changes that go off formula.
  5. No technology is involved.
Okay, now it's your turn. Is this approach feasible?
 
Rank Up Rank Down Votes:  +42
  • Print
  • Share
  • Share:

Comments

Sort By:
Mar 29, 2012
Problem are in two flavor, people use dumb password, such as password. And they use them everywhere. Hack Facebook and then use the information and password to try to access every major bank in a given country, you should make some good money out of it. Hacking the bank website could prove impossible, on the other hand ....

For non-important stuff, use one or two very easily remembered password. For the rest, just make them very long, with a few weird thing in them, as long as you can remember them, by a formula or just by some kind of weird logic of yours, you are all set.

Trying to apply a strong formula, that don't have downfall, for everything is overkill. Impractical for 90% of the time, and probably a weaker, because it's more limited and shorter, for important stuff. Security expert have gone in such a way that we now or use dumb password, or password easily hack through bank of word or brute force, but hard to remember. Both case, we are on the losing side.
 
 
Mar 28, 2012
Lastpass is the ONLY password solution worth looking at. It is browser and platform agnostic, is available for mobile phones, and where else can you have random passwords like f2G8x#KhV4l7IX%$j2ea generated to not have to remember. I have one strong master password that I have to remember and that is it. They also have a tool to examine the passwords that you have with their service to see if you have duplicate and weak passwords.

I have been with Lastpass for about 2 years and have not once looked back at this decision.
 
 
+5 Rank Up Rank Down
Mar 26, 2012
Best idea for strong password creation that's easy to remember that I've ever seen:
http://imgs.xkcd.com/comics/password_strength.png
 
 
Mar 26, 2012
I use more than one formula, depending on the site, and the implications of a leak. Generally I involve this with a long phrase, as per xkcd comic.

I have also used simple translation by moving my fingers on the keyboard. Instead of "Hello There!"? "H3ll9 %h343!" - the numbers above the top row of keys.

I use a virtual email address that I can easily redirect to a new address should something happen to my email provider.

As for your point (1) - it's difficult. There are many lame password policies out there. (iTunes won't allow punctuation!?) I just have "plan b" and "c". You can follow the xkcd idea and use a long phrase (without spaces, for other lame policies out there...) but you will encounter systems that don't allow long passwords too! Point (4) is hard to answer, since it's not feasible to update all passwords. I have also used my own OpenId point, which is good in principle. There really needs to be a better system used, perhaps a trusted two factor auth operator would be better.

http://ministryofparanoia.org/2011/02/11/use-different-passwordsdont-use-the-same-password-for-multiple-websites/
 
 
-1 Rank Up Rank Down
Mar 23, 2012
Best advice:

Dwigt
Also, create your e-mail password using a different formula than the others, and make it much harder, since access to ones email effectively gives access to all websites one has an account with.

Actually pretty obvious - but I hadn't thought of it.

I do keep a password-protected word file with passwords on my laptop - so I also liked Jengineer's idea of keeping them as image files rather than ascii. Since my laptop is not exactly secure (I use a relatively insecure password so that my husband and kids can use it), I might convert that jpg to a password-protected PDF - rather than try to hide it with an obscure name I will likely forget.

I create my most secure passwords as long phrases with certain letters always swamped out for specific numbers. An example of this "formula" (not one I use) would be to create a phrase like: TheBankSiteIUseEveryDay - and swap out every "a" with @ or the number 5. TheB@nkSiteIUseEveryD@y. I can remember long phrases with one simple swap - much better than math-based formulas.

I also have a couple of "throwaway" passwords that I use repeatedly for sites that I don't worry about - and for those sites that stupidly send me back my unencrypted password in a confirmation e-mail for everyone in the vicinity to see.
 
 
+3 Rank Up Rank Down
Mar 23, 2012
"O" is the 15th letter of the alphabet. (Which shows, I think, a problem. It's too easy to get it wrong.)
 
 
+1 Rank Up Rank Down
Mar 23, 2012
I use LastPass to generate random passwords and store them in the cloud in encrypted form. This works with all browsers and most phones and tablets. All I have to remember is one master password and for that I use mouffett's method of keyboard patterns rather than memory tricks. Also, LastPass encrypts/decrypts all passwords on the source device so they never get transmitted or stored in unencrypted form.
 
 
Mar 23, 2012
@treekiller, Mar 23:

Very good idea. I would add that, since the vast majority are tier2 passwords, those might as well be all the same (but completely unrelated to the tier1 passwords).
 
 
+3 Rank Up Rank Down
Mar 23, 2012
This is a great idea, except for the ones I have to change every six weeks.
 
 
Mar 23, 2012
Hello Scott,

I don't like seeing you being unnecessarily self-decrepitating, so I wanted to log in to compliment you. If you came up with the idea for a password formula just by thinking on the subject, then you've matched industry best practice purely through your original thought, at least in the area of IT security I work in.

I wasn't sure if I could log in to compliment you, but luckily I use the same password here as everywhere else...
 
 
Mar 23, 2012
I think worrying about someone cracking your password from a list of passwords is too much. I would focus on having a base password that you alter in simple ways, such as shifting a character by a certain count. I would also say its good to have two tiers of passwords.
Tier 1: by bank, my email, university, work

Tier2: all the random sites that make me login. (such as Dilbert)

This is easier to remember than just a bunch of random passwords.
 
 
+3 Rank Up Rank Down
Mar 23, 2012
Allow me to break rule #5:

Buy 1Password. It works on my PCs, iPhones, and Macs. I use the free Dropbox to keep all of the passwords, wallet cards, secure notes, EVERYTHING...all in sync.

It's a beauty and all my passwords are as random as they come.
 
 
Mar 22, 2012
I'm among the throngs of people facing this issue, and it pisses me off. So I use a formula I call the qwerty method. That is, I take 6 keys on the keyboard that I find fastest to type, and add a shift at each end. Let's say, for example, >.,m098* . Don't look at the screen, look at the keyboard. All adjacent keys and fast to type. Or maybe Wwer234$ , if you prefer.

Because, seriously, what information am I protecting? And if you give your credit card to Amazon or Ebay, you deserve what happens to you.
 
 
Mar 22, 2012
Hi Scott - Passwords matter only for the subset of sites where you have to give a password but you -care- whether it's hacked (or there's a reason why someone would hack it). For example, if someone hacks the password I need to comment here, do I really care?

That reduces the 400 passwords to a very manageable #, which do require good attention as you mention. The others just have to be something unlikely that you'll generally remember....

The annoying thing is when you have a good system, and some websites won't accept your password (insufficiently secure). I find an inverse relationship between the need for security and the level of checking on passwords (i.e, my bank leaves it up to me, but some forums are very strict :-) )
 
 
Mar 22, 2012
It doesn't matter how clever or obscure your password is (beyond avoiding obvious stuff). Password cracking software just runs every single permutation until it gets the right combination. So a really long, easy to remember password is safer than a short complex one.

For example - TimeToTypeMyPassWordAgainButItIsNotMyDateOfBirthEMAIL - is a lot harder to crack than your suggested method.
 
 
Mar 22, 2012
Sorry but in this case a non-technical, non-commercial solution isn't worth it. The best thing I did a few years back was to sign up for a service called LastPass (I have no interest in this company besides being a customer). It can be installed as a browser add-in for all major browsers, and also can be accessed in a secure Web page. LastPass creates an encrypted database with a master password that only you have (yes if you lose it you're screwed). When you are asked by a website to pick a password, you get an option to generate one with any complexity you want (length, characters sets, etc.). Now I have unique, incredibly random passwords for all my sites and I can use them on any device. It costs $10/year ($20 with the Xmarks bookmark synchronizer) and I don't worry or even think about this topic anymore. Again, no shill, and I clench my teeth when renewal comes up because I know I could do a lot of the same things with formulae or open source solutions... but life's too short for these types of worries.
 
 
Mar 22, 2012
Using Formulas to derive passwords is the suggested method, short of completely random handled by technology, by security professionals.

Creating that formula is very difficult.

Some additional issues on top of the original post:
1. Some places have conflicting password requirements. Sometimes symbols are required, sometimes they are not allowed. Some have length requirements.
2. Username can also be troublesome. Were you the first "John" to register for this service? Or where you the 117th?
3. What if you change your formula?

I myself encountered these issues while logging in to comment.
I semi-recently changed my Username, as the old one had been used too frequently (more than twice out of the 400 services we have all signed up for) Was my Dilbert account using the old username, or the new one?
I had signed up for a service that was later hacked and made big news. I knew that my Formula at the time was rather weak, and it would take a thief only 1 sample to see the pattern, so a new one was created. When I signed up for Dilbert, was that before or after the new Formula was created?

In the end, I forgot too many specifics and used the password reset option.
But which E-mail account did I use?
Which password and account was tied to That e-mail address?

If All these services are using the same e-mail account, what is to stop them from resetting my e-mail account, and my service account?

Sounds like I had better implement a better password on that e-mail account!
Except my formula might be too weak, I had better come up with a new one, maybe a shorter one, I hate typing 32 characters on a phone....


In more seriousness, the expiring passwords for frequently used accounts and services has made me think more about my own passwords and security, and I've found an evolving formula come out, which is likely a bit more secure, and maybe my next iteration will use creation date and/or expiration date as part of the seed criteria.
 
 
+1 Rank Up Rank Down
Mar 21, 2012
That's a little too complicated. No thief is going to individually try and crack your password. All you need is a random code preceded by the last 3 letters of the website, or something similar. In this case, I might use treMOQ32p. A common way of stealing passwords is to set up a site that requires an e-mail login in and a password. Then, once they have a database of anywhere between 1,000 to 1,000,000 passwords, they can spam yahoomail, gmail, financial sites, etc. with the same email/password combination. If 5% of people use the same password (I'd guess it's way more than that), they have 50-50,000 peoples info.

If anyone is going to take the time to crack your password, they'd do it using a brute force program, since not all sites lock your account after X failed attempts. No need to confuse yourself with a wacky formula.

Also, create your e-mail password using a different formula than the others, and make it much harder, since access to ones email effectively gives access to all websites one has an account with.
 
 
0 Rank Up Rank Down
Mar 21, 2012
Bah - I just categorize things into various levels of importance and give them the appropriate password of which i only have three - (Don't care, games (I care, but little financial loss if taken), and financial). And a unique one for my email cause it tyes all the others together with the "forget my password" feature. For instance my password for this site is the don't care one.
 
 
0 Rank Up Rank Down
Mar 21, 2012
Yeah, I have a formula [that I won't bother describing] that works for me...but I don't have 400 passwords. Only in a minority of cases are the passwords protecting anything critical... A few of them I actually record in a computer file...good luck finding it. Part of my security is based on obscurity...nobody is going to try to crack my password to the NYT site or my hobby forums.
 
 
 
Get the new Dilbert app!
Old Dilbert Blog