Rethinking Passwords

A strong password is the foundation of good online security.

A strong password is the foundation of good online security.

Many of you know that my website was hacked last week. My webhost suggested that I change all of my passwords as a precaution against further hacks. This pushed me to take a step that I’ve been considering for some time. I’ve been thinking about a way I could create a custom password for each site I use that is also easy to remember.

I’ve had this idea for a while and yet I didn’t think it was urgent, so I never invested the time to flesh out my plan. Now I have my plan and I’m updating my passwords as I use sites. I thought you might want to know the strategy behind my custom yet easy to remember password strategy.

Strong Password Components

There are several things you should include to make a strong password.

  • Use a combination of upper and lower case letters.
  • Including letters and numbers.
  • Don’t use your name, family member names, or pet names.
  • Don’t use your birthday, family member birthdays, anniversaries, or other dates people can link to you.
  • Don’t use words that are found in the dictionary or or the word “password.”

Some computer security resources encourage you to include symbols, but some sites don’t allow symbols in a password. Also, there is no standard password length generally accepted.

My Password Components

I set out to create 12 character passwords that were unique to each login and yet easy to remember. I do this by stringing together components and developing a few standard descriptions.

In general, my password strategy works like this:

P P P P U U U T D D D D

  • PPPP = a quote or phrase. For example: “Be the Change You want to see in the world.”
  • UUU = a use code that tells whether I use the site/account for personal (PER=737) or for my company (COM=266). I created these three character codes and converted them to numbers using the telephone keypad.
  • T = a site/account type (E=email, S=site (general), F=financial, C=client, B=blog, etc). I came up with a short list of these site/account types.
  • DDDD = account description is the name of the site (unique for each site).

Example Passwords

Using this strategy, I would create the following passwords:

  • For my Paypal account: BtCY266fPAYP
  • For my personal Yahoo email account: BtCY737eYAHO
  • For my business Yahoo email account: BtCY266eYAHO
  • For my personal Gmail email account: BtCY737eGMAI
  • For my business Gmail email account: BtCY266eGMAI
  • For my webhost account for my art blog: BtCY737bLAUG

I call these my Gandhi series passwords (the author of the quote). At some point in the future, I may change my passwords and I will use a different quote, perhaps one by Rumi, and I’ll call those my Rumi series passwords.

Obviously, these are not the exact passwords I use for my accounts. I’ve given you these examples to see how I pieced together the components to create unique passwords.

Password Updates

If you have a situation where you are required to change your passwords regularly, you can add a password component to include the month.

  • Add a single letter to identify the month (taking into account months that start with the same letter).
  • Add two numbers to identify the month (01-12)

Insert this password component at any point in your password strategy.

Other Suggestions

Before you jump in, think about these additional ideas.

  • Don’t use my strategy exactly. Create your own components, mix up the order of the components, and come up with your own use codes and account types. Use my strategy to inspire you. The little bit of time you invest to develop your own strategy can save you days of work and much heartache in the future because of a hacked account.
  • Use a different password series for home and work. Even though you have a custom password for each site, it is a good idea to create a different password series for your personal accounts and the ones you use at work. I also have a different series for each client that I use to access their networks and software.
  • Don’t write down your password strategy (component breakout). Commit your password components and the order you use them to memory. Don’t share your strategy with anyone, and don’t write it down where someone could find it and use it against you.

Your turn: Do you have a smart password system that you want to share with us (in general terms)? Here’s your chance to help others.

Related Posts

About author:

Charlene is the information strategist behind Crow Information Design.

5 Responses to “Rethinking Passwords”

  1. Amanda Blum says:

    Everytime someone goes through this I just say the same thing: “PASSPACK, dude”. Seriously… look at how much thought and time went into this process:) Plus, at some point you’re still going to lose one and this doesn’t address the holes most systems have in how to recover a password. (so you create a fab password. then a hacker just challenges the system, answers the usually too easy questions and gets your password). Also.. where you storing these passwords? that’s likely a liability.

    enter passpack. you log in once, you know all your passwords are in one place, it generates super safe passwords for you, and logs in FOR you. you can take it with you wherever you go since its in the cloud.

    i was hard to convince, but now i’m sold on it. and its free. whats not to like?

  2. Tomas says:

    Hey Charlene, so sorry to hear about your blog being hacked!

    As for a smart password system, I use something that is very similar to your method so not much new stuff to share there, but there are two items that may interests you.

    The first is an article from Smashing Magazine about ways to protect your WP admin area—unfortunately several of the tips are much more useful when installing WP for the first time but they’re all good tips nonetheless:
    http://is.gd/1NQ5G

    The second link is all about generating passwords and again the article is pretty interesting, but some of the methods it covers (e.g., using a space in your password) isn’t always feasible; it’s still a good read nonetheless. :)
    http://is.gd/1NQl8
    .-= Tomas´s last blog ..Rest in Peace Little Rollie… =-.

    • Charlene says:

      Amanda: Thanks for the great info about Passpack. I’m considering it for one of my new security layers.

      Tomas: Thanks for the insights!!

  3. Brent Logan says:

    Great article. Unfortunately, your technique doesn’t protect your password from unscrupulous sites. Suppose you sign up for an account at scoundrelsRus and they figure out your method of generating passwords (after all, you did publish it on the Internet). Will they be able to guess your GMail password?
    .-= Brent Logan´s last blog ..I Need a New Bike =-.

    • Charlene says:

      Brent: Actually, the pattern I use is very different from the one I published for security reasons. I invented a second strategy for blog publication. Similar (but not identical) components but different lengths, different codes, and different order. Mine has a capitalization scheme that I didn’t even mention here. I didn’t want to give anyone who uses Google access to my real passwords. I know nothing can prevent a determined hacker, but I can hopefully make it hard for the casual hacker.

Leave a Reply

By submitting a comment, you agree to abide by our comment policy. Comments from first time participants are moderated.

CommentLuv badge

Have a blog? Allow CommentLuv to add your last blog post to your comment.

Sorry, you can't to browse this website.

Because you are using an outdated version of MS Internet Explorer. For a better experience using websites, please upgrade to a modern web browser.

Mozilla Firefox Microsoft Internet Explorer Apple Safari Google Chrome