How secure is your password?
In a BBC Technology article today about the recent email phishing scam which saw tens of thousands of accounts compromised, Sophos security expert Graham Cluley advised people to change their passwords as soon as possible. He added that about 40% of people use the same password for every website they use, which obviously increases the potential damage of a leaked password.
This advice will no doubt strike terror into the hearts of many, especially those who struggle to remember the passwords they have already set up. I use a system, though, which makes it possible to generate and easily recall as many password as you like by simply memorising a few simple rules. The beauty of the system is that it generates a unique password for each new account you want to log onto, without needing to remember anything new.
Essentially the technique works by creating a formula. Here’s an example:
First, think of a number which will be easy for you to remember. For this demo we’ll use 123.
Now, come up with a formula which incorporates the number, the name of the site you’ll be logging into, and a few additional rules to make it more secure.
For example, the formula might be:
123 + Sitename + a dash + third letter of the sitename + number of letters in the sitename
Which, for a Hotmail account say, would give you a password of:
123Hotmail-t7
(note the inclusion of a capital letter and a dash, included to help meet the stricter criteria of some accounts)
All you then have to do is remember the formula (which should be fairly easy) and apply it to each account to get a unique, complex password every time:
- 123Wordpress-r9
- 123Yahoo-h5
- 123Facebook-c8
There are countless ways to come up with a formula, and you can make it as complex as you like. But trust me, once you’ve memorised the formula your days of forgetting passwords are over.
Is this idea of use to you? Can you think of a better way to manage passwords (without using a third-party aggregator or writing them all down in a scrap of paper!)? Leave a comment below and let me know…
James,
As someone who, for years, used the same password repeatedly, this is a great idea! In my defence, the password in question was a mixture of numbers from my old RAF Service Number and the name of a street I used to live in.
However, it still had that fatal flaw – once cracked, all my accounts and memberships were wide open! I played around with password generators and keepers but, at the end of the day, you still had to provide a password to access your passwords – again, a major security issue.
Your idea is beautiful in its simplicity and I’m not sure why it never occurred before.
As you rightly say, it’s a ‘pretty simple password generator’ and one which I will be employing from now on – using my own formula of course!
Cheers!
Brilliant, glad to hear you’ll find this useful Gary!
I like this idea But For a dyslexic such as myself it my cause problems. It is reminiscent of the way in which on-line banking systems ask for the 5th 6th and 7th letter of your password. This causes me great difficulty. I have to write out my password and count the letters, obviously this compromises the security of my password. Although your password generation system would not carry the same risks it might take me a long time to work out my password. As I would have to write out the website address and count the letters.
Thanks for your comments Rhodri, really useful. It’s a pity you can’t make use of the idea as it is, but perhaps it’ll give you some inspiration for finding other solutions. If so, do let me know. I appreciate that the approach used by banking systems makes this a lot trickier whatever password you come up with!
(I’d asked Rhodri to comment on my idea following his post on Webcredible – Passwords and Swearwords – looking at the problem of websites making passwords unfriendly for dyslexics.)
The idea is a good one, but if it’s a good way to secure your others accounts from an automated attack, it’s not solid enough against a human attack. Personnaly I use a similar method but I “hash” the result with sha1 or md5 for example. And I use a subset of the result as password. Example :
md5(account name + service + dash + key)
you then extract the firsts 8 characters and you’ll have something like: eb294rvt
you can even spice the whole with symbols or capital letters example : -Eb294rvt.
A bit more complex but alot more secure.
Hope it helps.
Regards
yann
Thanks Yann, some good ideas for adding extra complexity to the system.
Interesting point about it being less secure against manual attacks. I did some testing on my passwords by giving people the passwords to two systems and seeing if they could guess a third one based on the similarities. None of them could, although I agree it’s not impossible to crack.
As with all passwords, the more complex you make them, the better they are!