read

I exaggerate. I’m not really going to tell you my password but I am going to tell you roughly how I created it. You may find it useful when thinking about your own passwords.

Over the years I got into the habit of using the same weakish password for every website I registered on. This was OK for a while then one of the sites I use got its password hashes published and within a few days they were cracked and my password was there for all to see.

I decided to do the sensible thing and create a strong, unique password for each site I use. The two problems I had are the same as everyone else:

  1. I wanted the passwords to be easy for me to remember but hard to crack
  2. I wanted them to be easy to enter on my phone

The second design goal was the one which made my approach slightly different to other ones you see around.

Here’s how I make my passwords:

  • To make a password that's unique for every site you need to incorporate some attribute of that site into the password
  • If you have multiple accounts on the site, each should have a different password. So your algorithm needs to take account of your identity too.
  • The password must be long enough to be strong but short enough to enter on a phone keyboard
  • The password should only use the characters available unmodified on your phone keyboard (it's too painful to keep changing the keyset for me)

The characters I have available on my Android phone are the lowercase letters a-z and the punctuation keys “,”, “.” and space. Your phone may be different.

Here are the components of my password:

  1. A word that's memorable to me, let's say "fart"
  2. Some letters from the website's domain name
  3. Some letters from my email address
  4. Some mandatory punctuation

An example. Let’s say I’m signing up to Facebook with the email address dominic@sayers.cc

My password would be fart fcbk ae.. ,,

It’s made up as follows

  1. My memorable word, "fart"
  2. A space
  3. The consonants from the web site's domain name, padded out to a length of 4 by full stops.
  4. A space
  5. The vowels from the domain name of my email address, padded out to a length of 4 by full stops
  6. Some punctuation; a space followed by two commas.

So my password is 17 characters long: not perfect but strong enough for today’s brute force attacks. It uses all the keyspace available without fiddling around on my phone’s keyboard. It’s unique for every account on every website (barring coincidences). It’s easy to remember.

You can obviously vary these elements considerably to suit yourself. For instance you could use the last four letters in the website’s name, maybe reversed or something. Rearrange the elements I’ve used.

This isn’t my actual algorithm, by the way. Just a little bit like it.

Notes:

  1. Please don't tell me about the XKCD cartoon. I know about it. I'm not going to type in a 28-character password on my phone.
  2. A password using this algorithm doesn't lend itself to dictionary attacks or even rainbow table attacks. A brute force attack using today's hardware would take an inordinate amount of time according to this chart: