Wouter Smet

On web startups, technology, music and growth

My password strategy: gibberish string + app string + mini-algorithm

Because not a week seems to go by without a major service being hacked these days, it’s more important than ever to drop that ‘same password for all services’ approach if you are still using it. Make it your 2014 resolution!

I used to use the same password for different services I considered in a certain ‘importance level’ (roughly banks > emails > social networks > tools I plan to only try once), but some tools turned out to change ‘importance level’, while others didn’t fit neatly into one category… So while this felt already quite secure to me, it was not ideal.

I also hate using a desktop app or USB key or something like that to generate and manage your passwords because it defeats the good part about cloud apps being accessible from any computer. I want to remember my passwords myself, especially since I always say no to browsers offering to remember it for me.

There are as many ‘password strategies’ as there are people it seems. So, here’s mine.

Let’s start with a laugh, with the now infamous comic by XKCD on the topic:


I am often annoyed by people taking this approach seriously online, because while entropy + easy to remember is nice, it overlooks the fact that a good password is short (I mean as in 10 characters, not 4 characters, but not 30 either). That is because it is hard to correct / remember where you were in your password when it looks like *************************************** in the input box. All the more for mobile.

Properties of a good password

So, in my humble opinion, a good password should be:

  1. Between 8 and about 15 characters. Less and some sites will complain that it’s too short, longer and it suffers from the same problem I mentioned above.
  2. Easy to remember, so you don’t have to waste time when logging in to a service.
  3. dictionary attack‘ secure: not just an English word or concatenation of words and your birthdate or whatever, because those can be cracked using a dictionary or ‘rainbow table’ attack, for sites that don’t salt their passwords.
  4. ‘reuse’ secure: if somebody knows your password for one site (either because they hacked something, or you gave it to them, see below), they shouldn’t be able to use it on other sites.

So here’s how I do it. It satisfies the above criteria, and you don’t have to be a genius to remember it.

Some ‘special cases’ before we get to the jackpot

First, some ‘special cases’ you may consider, before I divulge my super-duper password strategy that I think everybody and their mom should adopt.

1. Trivial passwords for things you are likely to share

You do require a login to your computer, right? In any case, this is a password very likely to be shared with people (close to you) at some point. They want to change the music at your dinner party while you are cooking in the kitchen, your flatmate needs to look up something that’s on your computer while you are in another country…

So this should be separate from any other password, and can be a simple word with a number after it or something, so you can easily say it over the phone.

Another one for this is your home wifi network. Make this easy to remember and share. For me it’s just a very close variation of the network name, and this has worked well so far.

2. Something similar could apply to some services used at your job, depends what kind of work you’re in.

3. A separate password for banks and e-mail? Because this is really the most important thing of all, I have a totally separate password for my gmail and banks, which are long, impossible to guess, and cannot be deduced from the below strategy.

But I think these exceptions are just because I’m paranoid. If you simply include the above cases in the below strategy rather than memorizing a ‘special case’ for them you’re probably still way better off than whatever you’re doing now.

The killer approach: gibberish string + app-specific string + mix-up algorithm

So, here we have it. My ideal password is a mix between something that depends on, and is easily – but not trivially – deduced from, the app name, plus a string of random ‘typical’ password gibberish. This satisfies all of the good password criteria I listed above, and assures I score ‘very strong’ on about every ‘security level’ meter they put next to passwords. Feels good man.

Screen Shot 2014-01-13 at 14.31.56

So, for example: the gibberish string is Bxx12ab!3. Containing an uppercase, number and symbolic character and being over 8 characters, that one satisfies virtually every ‘safe enough’ check on sites, both in length and ‘complexity’.

The second part is the ‘algorithm’ that depends on the app it is for, so that it is unique for the app, to prevent it from being reused should your app be hacked, or should you exceptionally have to give the password to somebody else.

Here, for example, you can use ‘reverse the first 2 characters of the app and attach them at the end’. So your password for github becomes Bxx12ab!3Ig, your password for Facebook becomes Bxx12ab!3Af, etcetera. If somebody gets a hold of more than 1 passwords of you they might spot the pattern, but from just seeing one it’s hard to guess. And that makes it infinitely better than just reusing the same password.

The one thing that isn’t covered yet is the annoying and retarded habit some tools have to force you to change your password every X months, while requiring that it’s different enough from the previous one. This typically leads to people writing the password on a post-it note, defeating the purpose. But for this, you can have a strategy like ‘increase the a by one in the alphabet, and the 3 by one’. So if GitHub were to require a change you could change it into Bxx12bb!4Ig.

Conclusion

So, that’s my password strategy. After Apple pissed me off with the requirements for their Apple ID password and I resolved to fix this mess once and for all, it took me about 30 minutes to go fix this in all the apps that I could think of, and then another month of doing this whenever I logged into an app I hadn’t fixed yet.

So, in summary, I have to remember:

  • One gibberish ‘strong password’ string.
  • One ‘algorithm’ to transform the app name.
  • Some easy passwords that are likely to be shared with others.
  • Some additional passwords and/or gibberish strings for e-mail/projects I am collaborating on/…

It’s reasonably doable to remember this (especially since you’ll be typing your gibberish string over and over again), it never gets complaints from an app that it’s not secure enough (au contraire!) and it feels more secure than any other ‘password habit’ I have tried or seen so far.

To get the same level of satisfaction and improvement in life quality as throwing out all your socks and buying 20 identical pairs of black ones, implement this now and make 2014 the year you once and for all stopped worrying about passwords.

What do you think – I am not at all a security specialist so if you are, please let me know: did I miss something here?


11 thoughts on “My password strategy: gibberish string + app string + mini-algorithm”

  1. RootofGood

    Looks like a good strategy. Except you made one mistake. You just revealed the pattern to your password creation. 🙂

    Reply

    1. Wouter

      Hehe, well, neither the gibberish string or the exact ‘algorithm’ are the ones I use. And hopefully like every security strategy, it’s better than ‘security through obscurity’, so works even when the principle is known!

      Fingers crossed 😉

      Reply

        1. woutersmet Post author

          Good to hear, thanks for the comment!

          Goes without saying that I have another pattern as well 🙂

          Reply

  2. John Doe

    Great idea, I think I’ll adopt it. I actually use a similar algorithm to this in both a site’s email login and password. Gmail has a feature where it ignores any characters after the “+” sign, as well as any periods in the username part of email addresses. So I’ll use john.doe+f@gmail.com for FB, etc. This makes it slightly tougher for them to reuse your email address of another site and also helps if they give your email address to third party companies as you can block any of these addresses if it gets propagated to spammers.

    Reply

  3. Pingback: This is why passwords need to die | المبتكر!

  4. Amodio Pesce

    Really good idea, similar to my strategy.
    But all of this is killed when your online bank system has this requirments for the password:
    1 – Length must be 8
    2 – The first 4 chars must be numbers
    3 – The last 4 can only be alphanumeric with no special symbol
    4 – The system is case insensitive

    Reply

    1. Wouter

      Haha, yeah fuck that, for every password strategy I guess there’s gonna be an asshole that makes it not work.

      But hey, for online banking that has strict requirements you just right your username + password + pin code right on the bank card, right?

      Reply

  5. Pingback: NFTF » This is why passwords need to die

  6. Bill

    Just use a password manager like Keypass, you create one password (a really good one) to get into Keypass, the rest are randomly generated by Keypass and are stored encrypted.

    Reply

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*