A Password Strategy

by Colin Berkshire

It’s well documented that the most sign-in common password is “password” and that “123456” is next most popular.

To combat hacking these trivial passwords, organizations impose password rules. The purpose is to force people to choose good passwords.

Many of the schemes forcing users to choose a good password are more broken than the problem they are trying to fix. For example:

One government website requires that passwords be exactly six characters with no punctuation. It is as if they are actually trying to make it easy for hackers.

Another government website limits passwords to 8 characters. Why force users to use a password that is LESS secure? They act as if password memory is expensive.

Yet another website requires that you change your password every 90 days. I am unclear why changing your password frequently improves security. It seems that it just increases the chances that you will need to write it down on a post-it to your monitor.

Users would try to come up with stronger passwords if they were less fettered. Some websites won’t allow special characters, others allow only some special characters, while others allow a different set of special characters. So, users can’t really develop passwords that are strong and that they can remember because every site has different, conflicting rules. This almost mandates that passwords be written down, which negates a lot of security. (How many people keep their list of passwords in a Word document on their computer?)

For those who do worry about security, it’s a problem to pick unique passwords. Password managers that choose random passwords are a great solution. (Apple’s Safari does this built-in.) These randomly picked passwords are so obscure that truthfully they can’t be hacked. I recommend that everybody use these managers if they can.

But what if you travel a lot, and use a lot of different computers. Or, you log in from the office and you don’t want your password keychain stored on your computer?

I use a pretty effective solution so that every website has a unique password. This means if one website has a security breach the other websites I use won’t be compromised.

The technique requires an available calculator and a little memory.

  1. Choose a base word such as “Snow” that you will use on all sites. Better yet, choose some obscure characters like “tzpm”. You will use this on all passwords.
  2. Look at the main name of the organization whose website you ace accessing, such as “Chase Bank”. Take the first word such as “Chase”. Use the first word in combined-word names like Facebook. (Use “Face”). Be consistent in capitalization, such as always or never capitalizing the word.
  3. Create a very simple cypher that you will use. For example, assign the letters numerical values such as A=1, B=2, C=3 or something more advanced. If you are a programmer, use ASCII values. Memorize this simple cypher as you will use it on all passwords.
  4. Use the cypher to create some numbers. For example, cypher the first three letters of the organization name. (Facebook might be F-A-C cyphered into 613 where A=1, B=2, C=3, etc.) If you wonder why you see me counting on my fingers when I am entering my password it is because I am using this simple cypher. Another simple cypher is to use your keyboard: Notice that the letters Q, A and Z are under the 1 key, and W, S and X are under the 2 key. It’s a trivial cypher that encodes any letter into a digit. It’s not perfect, but it is better than a poke in the eye and less obvious than A=1, B=2. Personally, I use yet another simple cypher.
  5. Lastly, I recommend adding some special character. You can be simple and use a hyphen (“-“) which is the most universally accepted special character in the password field for everything, or you can be fancier and choose the special character using some rule you make up, such as ! for government sites, @ for banking sites, etc.

So for Facebook.com you might have this password:


This isn’t the absolute most unhackable password, like HYTR-RTDK-TYUG-QOXY would be. But it is pretty unhackable and has these features:

  • The compromise of one password doesn’t directly compromise any other password
  • You never need to write down any passwords
  • Every website has a different password.

Here are some variations you can use to make things more obscure:

  1. Create the cypher using every other letter in the name, up to 4 maximum.
  2. Reverse the letters so FAC would be CAF.
  3. Drop the first letter of the website name.
  4. Add up the numbers and put the total after the special character. (613 would add up to 10 so the end would be 613@10)
  5. Add a sequence number to the end, so if you need to make a new password for a site you just change the sequence number.

There are lots of variations.

I have logins for nearly 1,000 websites. Every one is different. Best of all: I don’t need to write any of the passwords down AND I don’t have to remember them. I don’t have an excel spreadsheet with all of my passwords for somebody to steal.