If a website form asks you to register and sign-in with a username and password, slap yourself on the head if you duplicate a password from another website.
Go on, admit it. We’ve all done it once upon a time.
If you recognize such behavior as yours, however, stop it right now.
Stop recycling passwords and stop duplicating passwords.
I have no idea how many sets of usernames and passwords are associated with me across the social web, but the important takeaway is I have a different password for every single site. Name the site, and if I’m there I use a different password. Moreover, I can be anywhere in the world on any public or private computer and without reading a piece of paper or scratching my head I always type in the correct password on the first try.
Create a password memory system with mnemonics.
Every time you visit a new site and are asked to create a password, or if you already have a password on an existing site, type in a preconfigured base of capitalized and lowercase letters, numeric digits, and keyboard symbols (ensure it’s nothing in a dictionary) — along with additional characters specific to the website.
Say what, you ask?
Imagine your preconfigured base is !em0Nade.
That was created by substituting an exclamation point for the letter l, substituting a zero for the letter o, and capitalizing the letter N.
Lemonade becomes !em0Nade
If you need to create a password, write in that base; and add additional letters, numbers, or symbols either before, after, or in the middle. The placement of the additional characters is up to you, but its placement and substitution should be the same for every password on every site.
Here are five examples for five different sites requiring passwords:
Facebook: !em0NFkade
Twitter: !em0NTrade
LinkedIn: !em0NLnade
Yelp: !em0NYpade
Google: !em0NGeade
Look at those five examples, and see if you can understand how placement and substitution is always the same. Add a comment below if confused.
Whatever you do, do not use that system.
Create your own system and it will never fail you.
I suggest you have a different string for your webmail program, and you have an even tougher string for your online banking.
I would write a post on how I do my passwords…but that’s a special secret. A closely guarded secret.
This is a great way too though…makes you think a little, but seems like it would work really well. I like it, and might adapt it a little.
The problem now is, if I change, I have to remember which version of password I’m using! hahaha
Ahh but most websites give you one of those handy “forgot your password” links — presuming you remember your email address.
I use botanical names for my passwords. Often use same plant and different varieties.
Botany, eh? Are they real names, then, names that can be hacked if someone’s running an engine with dictionary words?
And, I deleted the rest of your comment because, despite your good intent, the comment policy, as linked above the comment section, does not allow off-topic comments. If I accept it for one, I set a precedent I don’t want to do.
haha! That’s a good tip, I like that. I have a problem with short-term memory and mnemonics technic is my best friend and now with password too. Oh, well, it’s just getting better.
Another great post, Ari. I expect a lot of comments and tweets. It should, otherwise people are not taking enough care about that issue. Here’s an article about web passwords by Jeff Atwood to share – http://bit.ly/ic8Kz2
I only disagree about allowing a third party or web browsers/ addons to save all your passwords. It is like putting all your eggs in one basket and sometimes someone else’s basket! If someone gets hold of that one master password or that third party got compromised, then you are out there will all your passwords in the wrong hands. Instead, develop a system like yours and recover those you forgot from the site itself. If you happen to lose your memory, then this is not a big deal, you won’t remember you have an account to begin with let alone a password.
I have a similar system to yours based on Mnemonic as well and I thought to write something about it , now instead I’ll just pass your article. Cheer, mate!
Is that not very risky Ari, as if someone gets hold of two of your passwords, they can crack the rest pretty easily!
Nice idea though, associate your password with the activity… I might try that ๐
There is risk associated with life, so sure anything’s possible. But I’ve used the same system for about three years and it’s never been hacked. The only time I was hacked was about two years ago on an older Yahoo mail account that used an English word within the password.
Ok, seems pretty foolproof then ๐
Your word, not mine.
Nothing in life is foolproof.
It’s an excellent idea, and I do get the concern from Joy about third party password holders, but I’ve taken the chance and use LastPass. With them, I need to remember one master password and then let LastPass generate secure passwords for all the sites. I can get to my “vault” from any computer, which has saved me a few times in meetings where I didn’t have my computer, but I needed to show a client something, like a document in Dropbox.
Great tut thanks, and using information form the site you are registering with is a very good idea. You could also take the first 3 letters of the site and put them at the start, middle and end :).
1 thing you should also do frequently is change passwords, or in that case, mnemonic word, in order to keep things secure… and whatever the site you are registering one, NEVER make it simple to guess (kid’s names, date of birth, the word “password”, “123456”, or even qwertyuiop.
Ari, this is a very good system that I think would work well, and I like the suggestion for the Firefox plugin.
I have my own system that I started using years ago, so I stick with it. It uses a combination of numbers, English words, and words in one of several foreign languages. None of the passwords is the same, but I have ways to easily remember what they are. My passwords always get a “strong” rating.
Sxipper’s been with me for about two years. I forget how I found it; likely a Mozilla add-on search.
Wow I have never thought of having different passwords for different websites. I will definitely have to try your Mnemonics way. Makes me want to go to all of my different places and change my passwords.
Here’s the thing, Tanya: If you don’t use different passwords, and presuming you use the same username, then what happens when one account is hacked? Dominoes.
Hi Ari
Password management can be a real pain.
I use a password generator for important passwords such as WordPress and I keep a copy of them on a notepad document.
I also keep a hard copy of the notepad document just in case.
There are a few free password “rememberers” out there, I think that Roboform is pretty good and I came across this Lastpass over at http://lastpass.com/ over on Petra Weiss’s blog.
I’ll probably give this one a try – looks good and it’s free.
Great article, Ari…and what a great idea! I’ve used a series of different passwords (I won’t say how many) for years that I rotated on a regular basis among my various accounts, replacing and changing various letters with numbers or symbols. But your suggestion seems a lot easier and one that would be easier to remember.
My team and I have a system for remembering our passwords, but we are really not that inventive about the passwords we use. After reading this article, Ari, I slap my forehead and scramble to make my team develop a better password generation system. And, I shall tell one member of my team to stop using the same password for all her online accounts. Thanks!
– Wes –
Sometimes the simplest things make the most sense. Thanks. I’ll use this one.
In general, the idea of having many passwords (or a single password for every site) is wise but it’s so difficult as one can be lost very easily. Now practically all sites require passwords and that’s terrible although necessary. Unfortunately, I have only several passwords ๐ ad no backup.
Thanks for the useful idea. I have been using the slightly-different password approach for years, but adding the “substitute punctuation for letters” idea is a good one to include.
Very good article, Ari.
I can’t tell you the number of times I’ve helped people who have had an e-mail account hacked, only to find that another account, such as a bank or affinity group were hacked as well, with the same user ID and password.
I’ve also had some success using a “passphrase”, the first letters of a favorite phrase or line of poetry. “Now is the time that tries men’s souls” becomes “Nittttms”, with a number added as needed. You can also start the phrase with a symbol for additional security, if required.
Easy to remember for you, not a dictionary word, hard to guess, and easy to sequence by changing the first letter (“N” becomes “O”, then “P”, and so on).
I’m always surprised how many people use the same User ID/PW combo for every login.