tl;dr ("too long; didn't read")
People seem to use the same (insecure) password for most things. This leaves one vulnerable. Here's a quick way to greatly increase your password strength without much work.
Keep using your same password, and add the name of the website to it for each place you login. For example if your password is kapilina31, change your facebook password to kapilina31facebook, and your google password to kapilina31google, and your snapchat to kapilina31snapchat. Each of those passwords are significantly more secure, and unique from your other passwords.
Creating a secure password system 101
I'm going to quickly take you through the characteristics of great passwords, and poor passwords. Give you a few sites that will test the strength for you. Finally walk you through three examples of creating a complete and unique password system. Here we go.
Characteristics of Great passwords
- It should have:
- lowercase letters: asdbasefjnareigp
- Uppercase letters: SDLFNSDLF
- numbers: 9238738
- special characters: !@#$&%^(
- It should be:
- easy to remember
- unique (different) for every website and use
- at least 12 characters in length (I prefer over 15)
- If you write it down or record it anywhere, it should be:
- Encrypted (every step of the way: stored, transmitted, and accessed)
- Easy to access from any device
- Zero knowledge access by 3rd party service (read more)
The characteristics of a poor strength password and use are:
- Poor strength (it scores lower than recommended on the three tests below)
- It is the same or very similar to other passwords you use on different websites
- It is saved in a browser (chrome, Safari, Firefox, Internet Explorer, etc.)
- It is written down on a paper stored by your computer at home or office
- It is stored in a “note” program in plain text on your device(s) or computers (Microsoft Word document, Apple Pages, Google Keep, Evernote, Dropbox, etc.)
Check your password strength here
You can check the strength of a password by using these 3 (and other) websites:
- The Password Meter (should score a 100%)
- Strength Test (should score a “Strong”)
- How secure is my password (should score over a Trillion Years)
Let's create some password systems
We can accomplish the two points above (and their sub points), in a fairly easy way by using a “password system” instead of individual passwords. We learn and memorize the our unique password system, and can use it to “generate” an unlimited number of unique passwords that we can recall without difficulty. For the third point I recommend LastPass (if you use this link to create a LastPass account you and I will both get a free month of Premium service), there are other options for that as well. This will also avoid all the sub points on the “poor strength password” list (above).
We can use some simple rules around a base (or seed) password as our “system.” This will create a secure password, that is unique for every website, that is also easy to remember, because we only have to remember our simple rules, not the complex passwords it creates.
Starting with a seed
Here is an example of how this works. First let’s create a seed. A seed is a phrase that is easy for us to remember and preferably has punctuation or other special characters in it. I’m going to give 3 examples of seeds below (you will need to create your own seed, please do use any of these examples):
Seed example #1:
The phrase for this example is: Well done is better than well said. So I will modify it some to add some punctuation and cases: Well Done! Is better than well said. Now it has 3 capital letters, and an exclamation mark. So if I used the first letter of that phrase with the punctuation I added it would look like this: WD!Ibtws
A good password seed should have all the characteristics of a “good password” (UPPER CASE, lower case, numbers, symbols and be at least 10 characters long). So my next step is to add another character and some numbers. So I’m going to use the symbol # and the number 49. This will always be a part of my seed, so my full seed is: WD!Ibtws#49
I’m now at 11 characters just for my seed, and I already have 2 special characters, 2 numbers, and upper and lowercase covered. :)
Seed example #2:
Here’s another phrase example: It’s the possibility that keeps me going, not the guarantee! That’s a little long, so I’m going to shorten it some (knowing that in the next step, after phrases comes around 6 characters of padding). Possibility keeps me going, not guarantees! and since I’m 38 years old right now, I’m going to at @38. So my seed will look like this: Pkmgng!@38
This is at 10 characters, with one uppercase, lowercase, two special symbols and two numbers.
Seed example #3:
Here’s another phrase google gave me: In three words I can summarize everything I’ve learned in life: It goes on! So let's shorten this one, and add * to the beginning and the end and the number 89. it would look like this *8 Everything I’ve learned in life: It goes on! *9, thus my seed would be: *8EIlilIgo*9
So this one is at 12 character's with upper, lower, symbols and numbers.
Now add some padding
Padding with some basic rules: Once you have your seed, this is going to be the core of every password you create. In other words every password will have that part in it, but will ALSO have some additional unique padding. Here are some basic rules:
Rules of 3:
- First 3 letters
- First 3 vowels
- Last 3 letters
- Last 3 vowels
With these modifications
- All UPPER
- All lower
- First Upper Rest Lower
- lasT uppeR, resT loweR
Combine the seed and padding
Full password for example #1:
So now let's apply these at random to the three seeds above, and I will give some examples for the same 3 websites for each completed system. For example #1, I’m going to use rules 1 & 2 with modification 1 & 2. So if the website was amazon.com, then rule 1 with mod 1 would be AMA (first three letters ALL UPPER), then rule 2 with mod 2 would be aao (first 3 vowels, all lower). So that would be my additional unique padding for my complete password. Here are some examples:
- Password for the websites:
- amazon.com = AMAWD!Ibtws#49aao
- google.com = GOOWD!Ibtws#49ooe
- facebook.com = FACWD!Ibtws#49aeo
- I can run any of those unique passwords through the above websites and get the recommended or higher scores. So these are VERY STRONG passwords. Plus they are unique, if facebook was hacked for example and the hackers got a list of thousands of emails and passwords, the hackers could then use that list to run against other sites (such as google, amazon, etc.) in a few seconds and would know which websites they have access to (the account info they keep and use) and which ones they don’t (so it only grants them access to that one site), by using a unique password on every website, I only have to change 1 password when something goes wrong, not every password because they are the same or extremely similar.
Full password for example #2:
So for our next example let’s use rule 4 and mod 3. So for amazon.com this would be Aao (last 3 vowels, with First Upper, rest lower). So my entire password would be this for the following websites:
- amazon.com = AaoPkmgng!@38Aao
- google.com = OoePkmgng!@38Ooe
- facebook.com = AeoPkmgng!@38Aeo
Full password for example #3:
Finally for our third example we will use rule 3 with mod 3 & 4. So for amazon it would be Zon (last three, First Upper) and zoN (last three, lasT uppeR). So the full password would be:
- amazon = Zon*8EIlilIgo*9zoN
- google = Gle*8EIlilIgo*9glE
- facebook = Ook*8EIlilIgo*9ooK
In the above example I ignored the trailing .com of all the names, you can use the full domain name if you would prefer, that’s another modification you can have. Also I didn’t give any small domain names, such as Barnes and Noble (which is bn.com) in my examples. You can decide if you want to use a special “filler” when there isn’t the 3 characters or if you just skip it, or if you do something else. Finally there are some websites that really prevent you from having a secure password by limiting what you can use (ironically these are typically financial institutions), so you need to have a rule for when there is an exception how you handle it. By having a simple clear rule for every case, you will be able to recreate the password in your head accurately each time.
Since your seed is the same in all passwords, typing any passwords strengthens your ability to remember ALL your passwords, even though they are each unique. I recommend writing them all down in last pass, this program is entirely encrypted with zero knowledge so even LastPass cannot see your information. As a benefit you can also store your credit card, and other sensitive information in it, and then be able to securely access it from any and all of your devices (though depending on your use and number of devices, it may cost you $12 per year, billed yearly).
To review, start with a phrase, add to it (if needed) so it has at least 2 special characters & 2 numbers as well as at least 2 lower and 2 upper case letters. Then pick your rules for general unique padding based on names, and finally come up with your rules for small domains, and other exceptions (which you can do when the need arises). Once you have a system in place, I recommend using LastPass to store everything, and now you will have a Strong password to use for it (the strength of your LastPass encryption is based on the strength of your password, so having a strong password is very important up front for encryption).
Final thoughts, these new passwords may not be as “convenient” to type, everytime you type them compared to your old (or current) weak and insecure passwords. This may take you several seconds longer each and every time you type your password going forward. However, in many many other ways, this puts you in a much stronger position to not be inconvenienced in very real and exposed ways. I’ve taught this system to very young children (ages 10 & 12 years old), as well as seniors (ages 80+ years old), and they are equally capable and able to use it. I’ve taught people I thought were a little light headed, and those very intelligent, and they are equally able to use the system. Most agree it is slightly less convenient, some do not mind at all.
Let me know your thoughts,