Everyone knows, that passwords should be long, complex, nonsense and so forth. The problem is, such passwords are impossible to remember, especially when you need a lot of them and they need to be changed periodically. That’s why most users use the same password for all services. However, that is the worst solution. It would be more secure to write down all different passwords in your notebook. If there is a leak in one service, the hackers will try the same usernames and passwords in Facebook, GMail, Twitter etc. Usually they succeed in many cases. Then the hackers can expand the identity theft and perhaps convince your friends to step into a trap.
How should you do it?
Make up a permanent password
Make up a password that contains upper and lower case letters and a few special character and number. Start with a simple word with at least six characters, let’s say garage. Replace the r with a 4 to get ga4age for example. Replace the last e with # to get ga4ag#. Capitalize all the vowels to get gA4Ag#. That is starting to look like a proper password. Try to type it on the keyboard. Is it easy enough to type or should you change something? In the best case you should use keys alternatively from both ends of the keyboard, because that way it is faster to type with two hands. In that sense gA4Ag# is not the best choice, but will do as an example here. Avoid characters that are special to your locale. For example ü or ß would appear on every German keyboard, but may be hard to find elsewhere. Avoid also currency symbols like $, £ or €. You may one day need to type your password in a Asian internet cafe. Don’t worry about remembering this password. You will learn it by heart because you will use it everywhere and it will not change.
Make up a word for every service you use
Associate a word for every service. For example workplace account could be payday, frequent flyer account airport, pet forum doggies, email letters etc. Don’t choose the shortest words. Even better if you can come up with more personal associations. Like if you love to fly to beach resorts for vacations, use beaches for the frequent flyer account. Write down the names of the services and the associated words. You can use paper or a notebook, but even better is a file in DropBox, OneDrive, GMail or such (but then you must remember that password!) If this list leaks out, it is of no use without the permanent part and the formula.
Invent a formula to combine the two
Make up an algorithm to combine these. For example two characters from the service word, then the permanent password and the rest of the service word. That would make gA4Ag# + beaches = begA4Ag#aches. Or two characters from each, then the rest or begAaches4Ag#. However you do it, make sure your method splits the service word into at least two sections. You can also use first or last syllables instead of a character count.
These passwords are safe from both dictionary and brute force attacks. They won’t exist in any dictionary and are long enough to defend against systematically trying all character combinations. If you need to renew the password you only need to come up with a new word for the service. There is no need to ever change the permanent password or formula as long as they are kept secret. That’s why you mustn’t write them down!
Deployment
This is how far you can get as a mental excercise only. To actually deploy this takes some effort. You need to log on to every service and update your password. You only need to do this once, but it will take an afternoon or so. We all have quite a few accounts to manage. Start with the service you use most: workplace account, AppleID, Facebook, GMail… You will later come across services you didn’t remember, but always change the password to the new system as you log on.
Here is an Excel spreadsheet where you can try the different password rules described: [Download]