Are you a person who uses the same password across several websites because it is easier to remember? Welcome to the club. Described here, you will find a password strategy that will let you easily remember your passwords for all websites, but is more secure (but not entirely secure) than re-using the same password everywhere.
If you are a person who practices secure password practices, then this article is not for you. In fact, this post may upset you, so it is best for your health to stop reading here and go watch some cat videos.
The problem with using the same password at more than one website is that it takes only one site to suffer a security breach for all your accounts to become compromised. If the password to your Twitter login is exposed, then it would be simple to use that password to attempt a log in at another site with the same login id and take control of it because it is likely you used the same email address when signing up for the infinite number of websites out there. Heaven forbid that the same password can be used to access your bank account.
To start you on your way to a more secure password strategy, you are going to pick two passwords: one for non-sensitive websites, and another for sensitive websites. Sensitive websites are considered to be sites that contain personally or financially sensitive information, like your bank, credit card, and government institutions. Non-sensitive websites can be your social media accounts or online merchants where you make purchases.
To choose a password, think of a nonsensical word that satisfies the following:
It cannot be a word in your known language(s), or any language preferably. This will prevent dictionary attacks against your password.
It should be pronounceable so that you can easily remember.
It must be 8 or more letters in length. The longer the better, but within reason so that you can remember without much struggle.
For example, let’s use: trumblary. It satisfies the three requirements just mentioned.
Next, substitute one or more letters with numbers to introduce some difficulty for an attacker to determine the password. The numeric substitution can be anywhere you desire, as long as it is obvious to you only. You can use l33t-speak substitution (google it if you want to know how it works), or letter-ordinal substitution where you replace a letter with its ordinal position in the alphabet (a=1, b=2, c=3, … z=26)
In the example word, using l33t-speak substitution for the letters ‘l’ and ‘a’, trumblary becomes trumb14ry. Or using letter-ordinal substitution, we can substitute the ‘r’ with its ordinal value of 18 and thus trumblary becomes t18umbla18y.
Optionally, add a punctuation or symbol (eg: !@#$%&*) to the end of the password if the website allows them in the password.
Finally, to make it (almost) unique across any site, you add the first letter of the website to the start, and the last letter to the end, of the password. For Facebook, you would add a ‘f’ to the start, and a ‘k’ to the end. You can capitalize it for variation.
Using the l33t-speak version of the password, you would get the following passwords for some popular sites:
Facebook: Ftrumb14ry!K
Amazon: Atrumb14ry!N
Netflix: Ntrumb14ry!X
Google: Gtrumb14ry!E
There you have it! A seemingly unique password across the different sites you use. Thus, if one of your passwords is discovered, it will not be usable at another site. Your accounts are somewhat safer than if you had used the same password everywhere. All you need to remember is the imaginary word you have invented, and then prefix and suffix it with the first and last letter, respectively, of the site you are using.
Now repeat the process again such that you have one password for sensitive and another for non-sensitive sites. The purpose is to segregate the sensitive and non-sensitive sites because it is likely that a non-sensitive site suffers a security breach. If the hacker is ingenious enough to figure out your password strategy, then only your non-sensitive sites are vulnerable while leaving the sensitive ones protected (or vice-versa). It offers an extra layer of separation without tremendous mental burden.
Criticisms
There is no doubt that the method described here is less secure than having a unique random password for each site that requires a password. The reality is that it would be optimistic to expect the typical person who uses the Internet to have unique passwords for each website. People will not and do not do so. It would be impractical for a typical person to remember them all. We are creatures that are mentally lazy and will take shortcuts if we can get away with it. The strategy above offers better security than re-using the same password. By no means is it the most secure.
Disclosure
Personally, I have moved away from this method. I use an encrypted password manager that stores a randomly-generated password for each website that requires a password. It is not a free solution, and not everyone is willing to pay for such a solution. I have.
Realistically, the best password strategy is not an easy option, so a better one should be chosen over none.
bt+g/C6anBgU69XYFArYVUhvqrs=