A few days ago OneMint was attacked, and embarrassingly enough someone or some machine had simply guessed my password. I now know that this wouldn’t be too hard as it would have taken a desktop PC just 3 days to figure out my password.
I have been on a mission to change my passwords since then but there are two challenges in this. You can come up and remember one strong and unique password, but it is very hard to come up and remember 20 unique ones. I say twenty because that’s the number of passwords I need for my accounts that have some financial aspect to it. If you include all of my passwords, I’m sure it would go over a 150.
The other method is to have some sort of a formula in your head to generate a unique password but my struggle so far had been that it wasn’t unique enough, or strong enough or universally acceptable enough.
I’ve overcome all of these and I have been using my current way quite successfully for the past two or three weeks, and if you currently have passwords that can be guessed within days by a desktop PC, I strongly recommend going through this post, and seeing if this method or a variation works for you.
Step 1: Setup a base formula, which means that there should be some combination of special characters, words and numbers that will always be in your passwords. For instance, you can say that all your passwords will start with “%” and end with “ghoda9873*”
Step 2: Use the name of the website in your password but with some replacements. For instance, you could say that if the website is two words like SBI India, you will only consider the first word, so SBI would be part of your password. Then you could say that “I” would always be “1” in your passwords. In this way you can make certain replacements, and come up with a unique password. In our example, a password for SBIIndia.com would be “%SB1ghoda9873*” which would take a desktop PC 2 billion years to crack!
If you use this formula a few times, and customize it to the way you’re used to thinking then you will be able to setup new passwords quite easily for all your accounts. This has the obvious drawback where if a person comes to know a couple of your passwords, they can guess the rest quite easily but it still beats having a simple one anyway.
24 thoughts on “A practical way of generating strong and unique passwords”
Proud of you .
Thanks for sharing. I have some password, too and sometimes it’s pretty hard to remember which password belongs to which account…
Very good article. I also use a variation of the technique that you have suggested for all Financial sites. For Non-financial sites I have a common password or use the “forgot-password” link to generate password.
One IMPORTANT aspect which I think you have missed is – the password should be guessable by your spouse, in case of your death/other eventualities. So here is what I suggest:
Create a email account with Google/Microsoft. As is known, both of these provide docs (Excel or Word) capability. Do not share the account name with anybody. Do not use it for any other purpose. Create a Cloud document (Excel or Word) in this account. Have a very strong password for this account. Let your spouse know the password.
Put your account number/folio number/user id etc in this doc. Also put the password *with sufficient masking and hints* in this document. Change this document whenever you change passwords.
Example of “masking and hints” : M*****@mm07 (Holiday destination in 2007, where mm stands for the month). This would be guessable by your spouse (assuming you went on a holiday with her/him 🙂 !!) .
This is a great, great idea! I really like the separate email account idea. I created it and was able to move a file from my main gmail to this account but then stopped because my main gmail is protected by secondary authentication and this new one is not yet protected by that. Thinking about this a little bit, and then maybe I will end up transferring it.
How about using services like 1Password or lastpass for Password management ?
Google authenticator is good option.
But just little warning on that one. You rely too much on your phone and backup pass codes. If you lose them then there is no going back.
I use Google Authenticator but didn’t know I can use it with WordPress, I am going to still avoid that because who knows what happens if ever the plugin stops working. Keeping the codes secure is very important, I have emailed a copy of the codes to my dad and my wife just in case.
On another note, the time in your comments’ shows UTC while it should have been IST 😛
I will change that tomorrow Anil, thanks for pointing it out! I like your ideas as well! Much appreciated!
Why not use google authenticator as additional token?
I have added google authenticator to whatever I use. Examples are ssh, wordpress, gmail ,dropbox, etc..
It’s impossible to guess. You just need to have your backup codes somewhere stored.
I use Qwertycards for my passwords. Its a offline password manager, a plastic card, which allows me to make strong passwords for all the sites I access. I don’t use online password managers, but if I did I would use my card to make a master password
Jason, I looked at this but I’m not sure what the offering is here, you buy this credit card like plastic card, and it generates and stores passwords for you that you can keep in your wallet? Is that right?
Many people have pointed out that some websites (e.g. banks) need you to change your password every few months, it becomes difficult to come up with new password everytime. What I do is I have two passwords – bankpass1 and bankpass2 – and keep shuffling between them. Not very secure, but saves effort :/
Good idea Manas.
Have you considered password managers like KeePass and LastPass?
No, I personally don’t want to go that way.
Your article helps to generate new passwords which cannot be cracked easily. However most of the financial institutions have 3/6 month period after which we are forced to change our passwords. Its becoming tough to change and remember multiple passwords which have been changed multiple times in a year.. any idea to overcome this?
I add a month year combination at the end of such passwords and then try to change them all at once when the one with the shortest time period expires. It is annoying but the least worst option I can think of. A lot of companies also need you to do this, and if you want to log into your client’s domain then that adds another password or month year combination to remember.
Or, use a password manager, something like lastpass. Works charmingly well.
I am sure a great solution for many, but there are some like me who are very averse of giving their password to another site, so this won’t work for me:)
All too good., The problem starts coming up when some Banking and Financial websites start asking you to change the password every x days…:) I tend to then add the month of change to the password but then you need to remember when you changed the password for that site…!
I guess the basis problem is not generating strong pawers perhaps one can use your strategy and do that but the problem I see is that of remembering all of those when required.
There are tools available which let you store the passwords which in turn is controlled by a master password. Some of my friends use a simple xls sheet which is protected by 1 STRONG Master password ….!
I used to face that problem with ICICI Direct, thankfully they don’t do it anymore. When they did have that thing going, I used to try to send myself an email with the same subject everytime and the month that was part of the password formula, yes, even I had a month in my formula for that one 🙂
A great comic on this with some math basis – https://xkcd.com/936/
An even better one for your computer password with other benefits – https://medium.com/the-lighthouse/how-a-password-changed-my-life-7af5d5f28038
And finally I’d recommend LastPass or any tool like that for generating and/or recommending passwords.
I was trying to recall the xckd I saw about this once, I think it is pretty cool, and hilarious. I’m very wary of using a password manager and giving it all my passwords, so I’m going to pass lastpass 🙂