pick and remember secure passwords in a low tech and free way

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
This is to announce the creation of a new website: /

The site is free and allows you to print a PasswordCard containing a
grid of random letters and numbers, with colors for rows and symbols for
columns. You keep it in your wallet and it allows you to pick very
secure passwords, and remember them without a thief being any the wiser
if your wallet gets stolen!

Check it out.

Re: pick and remember secure passwords in a low tech and free way

Pepijn Schmitz wrote:

Quoted text here. Click to load it

But you still have to remember a symbol and a color and then remember to
which site that combination is associated.  A lot easier and without
having to carry anything is to remember a simple algorithm in your head
that lets you generate a password that is unique to every domain you
visit.  You pick strings of things you will always remember and then
apply a fixed jumbling rule against each of them and then slap them
together to make a password.  The substring you use for the password.

For <hostname>.<domain>.<tld>, pick a fixed number of letters from the
domain either from the start or end of it.  3 or 4 are sufficient.
Decide if you'll use them in the order in the domain, reverse them, or
move 2 from the back to the front of the string, or whatever jumbling
you want but it's a fixed jumble.  If the domain is shorter than you
fixed length selection from it, start borrowing letters from the TLD
(top level domain; e.g., .com, .org, .net, etc).  So if you always pick
4 characters from the domain but you are visiting, you'd use
"aaco" (if you start the selection from the start instead of the end).
Don't include the period character, just alphabetic characters.  For
this example, say you always pick the last 4 characters from the domain
and your fixed jumble rule is to reverse that string.  When visiting, you'd use "cmbi".  When visiting, you
use "lapm".

Pick 2 to 4 characters that are significant to you.  First & last
initial, middle initial and first initial of mom's or dad's name, last 3
letters of your dog's name, whatever.  Again, this selection remains
fixed so you can remember it.  Again use a fixed jumbling scheme.  You
use lowercase letters for this selection.  Some sites want some
uppercase letters which means on your first attempt that fails then your
second attempt capitalizes the first or last 2 characters (but which
ones get capitalized remain the same).  Say you use your name's initials
which are "vgh" but the fixed jumble rule says to reverse these so you
use "hgv".

Pick some numbers that are significant to you.  Birthmonth + middle 2
digits of 4-digit birthyear, house number for your street address, the
middle 2 digits of your social security number, or any other values you
will always know.  For  this example, say you pick the middle 2 digits
of your birthyear (say it is 1985) and the first digit of your house
number from your street address (say it is 304).  You end up with a
numerical string of 983.  The fixed jumble rule to reverse the string
gives you 389.

Now you have 3 strings of jumbled strings that you can slap together to
make a password.  Because the domain string will change with every
domain you visit, the password will change so it is unique to that
domain.  When you splice these strings together, shove in a punctuation
character between them (since some sites want a non-alphanumeric
character included), like using a period character between the first two
strings and a dash between the last two.  With the above examples, and
using the order for the strings of charstring.domainstring-numstring,
the password when visiting would be hgv.cmbi-389.  The only part
of the password that changes with each domain would be just the domain
string part in your password so that's the only time you really need to
apply your rule of which characters to use from the domain and apply
what is your jumbling rule used on all the substrings.  Yes, only a
portion of the password changes for each domain but each password itself
is a strong password.  If you ever forget the fixed portions of your
password scheme, you know the rules and the data you used to create
them.  These rules are fixed as are the data you use.  

Say your rules for building a password are:
- For the domain substring:
  o Use last 4 characters of domain name.  
  o If the domain name is shorter than 4 characters, borrow the
    remaining characters from the start of the top-level domain (.com,
    .org, etc).
  o Reverse this string. (Fixed jumble rule.)
  o If some uppercase characters are required by a site, they will be
    the last 2 characters in this string.
- For the characters substring:
  o Use the initials for your middle and lastname, in that order.
  o Append the first initial of dad's name.
  o Lowercase is used for all characters.
  o Reverse this string.  (Fixed jumble rule.)
  Example: Your middle and last initials are "gh" and dad's firstname is
  "brad".  You start with "gh" + "b" = "ghb" and reverse to "bhg".  This
  substring is always fixed but you know the rules needed to rebuild it.
- For the number substring:
  o Middle 2 digits of your 4-digit birthyear.
  o Last 2 digits of your social security number.
  o Reverse this string.  (Fixed jumble rule.)
  Example: Birthyear = 1984 and SocSecNum = xxx-xx-xx48.  You start with
  "98" + "48", or 9848 but reverse to 8489.
- The order for splicing together these substrings:
  o charstring + domainstring + numberstring
  o Use the dash character to punctuate between these strings.
  Example (using above examples): charstring = "bhg", domain is
  variable, and numberstring = 8489, and with dashes between these.

When visiting the sites below, you would use the following passwords:       bhg-letn-8489  bhg-lapm-8489          bhg-cnsm-8489         bhg-evil-8489 bhg-egna-8489 --> bhg-egNA-8489

The password is strong but only a small part of it changes depending on
the domain you are visiting.  I show 2 passwords for the last example.
This site requires some uppercase letters, and the rule was to
capitalize the last 2 characters of the domainstring portion of the

It's not really as complex as written up here.  Once you come up with
your algorithm to generate passwords on-the-fly, the only part that ever
changes is the domainstring portion but you have a fixed set of rules
for generating that portion of the password.  If you forget the other
portions, you know the common data used to build them.

Sites may require that there be both lowercase and uppercase alphabetic
characters in the password, that it contain some numbers, that it
contain non-alphanumeric characters, and be over 6, 8, or more
characters in length.  The algorithm takes care of all of that.  The
algorithm is in your head.  You only need to remember the algorithm
(actually you just remember how to generate the domainstring part since
the other parts remain fixed).  You can pick shorter strings for each
part to make a shorter password but I'd suggest not going less than 8
characters.  Some sites require 6, or more, 6 characters and I've hit a
few that require 8, or more.  You don't carry around a "card" in your
wallet which doesn't cover all possible requirements for creating a
password at different sites.  You aren't remembering passwords but just
a general rule on generating or recalling them.  It's in your head so
the "card" cannot be stolen or someone looks under your keyboard to find
your sticky notes of passwords.  When you travel, you don't have to
remember to take anything with you (unless your head isn't attached).

I've used a memorized algorithm for years.  It is a bit simpler than the
above examples (in length) but a little more complex regarding the
domainstring part.  My password is a strong one at each domain but it's
easy for my to recall or regenerate.  At worst, I had to make 3 guesses
to hit my password at a domain (for those that want uppercase letters
and others that don't like the punctuation characters and another wanted
uppercase and wouldn't accept punctuation characters).  Use whatever you
want as the above is only an example of how you can use a unique
password at every domain but not have to remember those passwords.  The
algorithm, once you choose one is fixed.  The data used for 2 of the 3
parts is fixed and well-known to you (you can have more parts for your
algorithm), and 1 part (or more if you want) are variable to make the
password unique to domain.  You can come up with a wholly different
scheme than I mentioned above but just make sure it is fixed enough for
you to remember it and relies on data that you will always know.  Other
examples of passwords (that you can easily create and then remember) are and other
articles.  I prefer a scheme where the password changes for every domain
rather than coming up with just one password for everything.

You don't need software.  You don't need cards.  You don't need anything
other than your brain.

Re: pick and remember secure passwords in a low tech and free way

On Thu, 4 Jun 2009 15:37:38 -0500, VanguardLH wrote:

Quoted text here. Click to load it

Is very good. Is this from a book? If it's so, can I have a copy of the
full text.

Reply online or send me email.

Re: pick and remember secure passwords in a low tech and free way

VanguardLH wrote:
Quoted text here. Click to load it

The best part about it is the birth year and social security numbers
you're using, oh ya, the last name is great to.

Re: pick and remember secure passwords in a low tech and free way

John Smith wrote:

Quoted text here. Click to load it


Which one is from my social security number?  And which digits did I

Which one is from my birthyear and house number, and which digits of

Or did I pick numbers from completely different sources, like the first
2 digits of my zipcode and a digit at the end of my areacode?  You can't
tell from WHERE those digits were used.  


Which 2 chars were for my first and last initials?  Which 2 were for my
father's first and middle initial?  And which ones are reversed?  And
which one was inserted in the middle of the other?  You can't tell which
is which and where it was put in the string.

You do NOT pick sufficient characters from any one source of your data
that would uniquely identify it.  You jumble the order so you know the
jumble but no one else does.  You still end up with strong passwords in
which no part of it can be identified with any data you used to compile
the password but only a portion of the password is altered based on the
domain you are visiting.  

Come up with whatever algorithm you like for generating strong
passwords.  The password doesn't have to all change its characters for
different sites, just enough to make it easy for YOU to figure out how
to make it unique and associated with a particular site.  I gave
examples.  I assume you can figure out how to pick your own pieces of
data, how to jumble each piece (but a fixed jumble of for each piece),
and in what order you like to concatenate those pieces.  It's really not
hard to do, and once you do it to come with YOUR own scheme, the only
part you have to be concerned about is the section that changes
according to the site.  It definitely beats using bunched up words or
something very familiar and sufficient in length that anyone with some
of your personal data could run through a script to process a few
thousand possibles.

Re: pick and remember secure passwords in a low tech and free way

On Thu, 4 Jun 2009 15:37:38 -0500, VanguardLH wrote:

Quoted text here. Click to load it

Yeah, no passcracking will ever figure that out.

A fireside chat not with Ari!
Motto: Live To Spooge It!

Re: pick and remember secure passwords in a low tech and free way

You could use remember a single password and store all of
the other passwords in Keepass, which by the way, it is free.


Site Timeline