Sunday, December 22, 2013

How I Keep Track of My Passwords

We all know that you shouldn't re-use the same password on different websites, but this is extremely difficult in practice considering the number of sites people use today.  Password managers were developed to help solve the problem of remembering passwords.  Some examples are KeePass, Password Safe, and LastPass.  They work fine for many people.  However, I personally don't like the idea of depending on a password manager.  I want the ability to pull the correct password out of my brain in case I'm ever in a situation where I don't have access to the password manager.  There's also a risk that your passwords could be compromised (this is true about any data that is stored, encrypted or not).

I have over 100 different passwords, but I don't have any problem remembering them.  I don't write them down or use any sort of password manager.  I came up with a system that enables me to remember my passwords.  It works for me, so I'm sharing the technique in case anyone else thinks it might be helpful.

With my system, you only have to remember two things.

  1. Your "core" password.
  2. Your scheme.
First, come up with a strong core password of about 8 or 9 characters.  This core piece should be gibberish and needs to have a combination of lowercase letters, uppercase letters, and numbers.  An example is kM92ax43. Whatever you decide upon, memorize it.

Second, pick a scheme based on the website's domain name.  The scheme will be used to supplement your core password.  As a simple example, you could look at the last 3 characters of the site's domain, add one letter to each (this is actually an encryption technique called "ROT1"), and append this to your core password.  So, for the site "", we see the last 3 characters of the domain are "ess".  Therefore the 3 additional characters would be "ftt" and your final password becomes kM92ax43ftt.

For, your final password is kM92ax43jou.

For, your final password is kM92ax43buu.

Tweak your scheme however you want before finalizing it.  Some possibilities:
  • Prepend the first character to your core password/append the last two 
  • Capitalize one or two of the letters
  • Subtract two letters ("ROT24" encryption) instead of adding one
  • Look at the first two chars + last char of the domain, instead of the last three
You get the idea. The scheme remains constant, but your password changes.  Whatever you decide, never tell anyone your core password or your scheme.

P.S.  My system isn't perfect.  It doesn't work on sites that have a short maximum password length (like 10) or have onerous password requirements (like requiring a special character).  It also doesn't work for my Windows domain account or my home router where I'm not actually logging into a website.  I treat these as exceptions and remember them separately.  I do keep notes about exceptions as well, but I rarely need to refer to them.


Anonymous,  12/26/2013 1:55 PM  

How do you handle changing your password on a site that has had creds compromised? Or sites that actually enforce periodic password changes?

Dave Ferguson 12/26/2013 7:06 PM  

Fortunately, those events are very rare, so I just treat them as exceptions. There's only one public-facing site I use out of about 80 that forces regular password changes on me. That particular "security" feature drives me nuts.

  © Blogger templates The Professional Template by 2008

Back to TOP