How to remember hundreds of passwords without writing them down

If you’re like me you have a ga-jillion internet accounts.  Multiple email addresses, dozens of app or social media accounts. You want to keep your accounts secure so you don’t get hacked but there doesn’t seem like an easy way to do it. You either need to have the same password for every site or have a different password for every site.

Same Password

If you use the same password once a hacker accesses one of your accounts they can easily log into your other accounts. This is a nightmare scenario, especially if a hacker gets access to your shopping or banking accounts.  Perhaps if you use a really complex password this strategy is acceptable. One of the better ways to do this is with mnemonic passwords. Josette Dehaney covers mnemonic passwords nicely in her blog. Here’s an example of a mnemonic password:

     In 2013 I will take the opportunity every Sunday to relax, smile = !2013!wttOeS2R:-)

Different Password

If you use a different password for each site/app you quickly realize that there are too many passwords that you need to remember and you have to write them down. Once you write down your password you’ve made it less secure, especially if it’s written on paper.  You might secure the paper in a safe box or something, but that’s of little use to you when you need it.  The “different password people” typically use a mobile password manager to save all of their passwords in a database for relatively easy access.  This Lifehacker article lists some options.

My Password System

The “same password” and “different password” approaches both have their benefits and drawbacks, My password system works well for me because each password is different but I can remember them all.  Note, I don’t claim to be the originator of this system, I’m sure I picked it up when I was running the security team for my financial firm – we had some bright security minds.

Base + Site

My password system has two components: a base and site specific

Base – The base is any short word you want to use. Four to six letters are sufficient and use a mix of alphanumeric and special characters.

Site – The site specific comes from the website or app itself.  You can pick the first four to six characters from the website (or maybe the last four to six if you want to mix it up.)

Now, put the two together. You can either do base+site or site+base. Whichever. Doesn’t matter, just pick one style and stick with it.

Examples

For our examples, our base will be “Wat3r”, the first 5 characters in a site’s name and the base+site style.

Amazon Wat3ramazo
Gmail     Wat3rgmail
Fab     Wat3rfab (note, since the site name is shorter, I used what was available)

The key to my system is to never tell anyone your base password or the system you’re using (which I just did, meaning I care about my audience so much that I’m taking on some risk).

Two Factor Authentication

Lastly a word about two factor authentication.  Some web services (Yahoo and Gmail to name a couple) provide two factor authentication passwords. Two factor authentication means that you require something you know and something you have in order to log in.  Essentially the service ties your log in to your mobile phone (what you have). Because I use my Google account for web services I use their two factor system.  It’s a bit of a pain to set up, but after you set it up you don’t have to deal with it again. Google two factor authentication creates hard to crack passwords (that you don’t have to remember) and provides an extra layer of security. You can read about it here.

If your password strategy isn’t where you want it to be, I suggest you adopt my password strategy so you don’t end up like this guy.

photo credit