The average business employee must keep track of 191 passwords. Whether this number is accurate or not, we all have too many passwords to remember. Everyone knows that re-using the same password across multiple websites is a bad practice. If the password is stolen from one of these websites the attackers have access to all the others. On the other hand remembering dozens of passwords to dozens of websites is impossible for most of us. Writing them all down in your phone is an option, but it’s a single point of failure as the document that holds these passwords can be compromised in many ways. Using a password manager is also an option, but these typically have a master password and if the master password is stolen all passwords are at risk.
The best option is getting rid of passwords, but until we reach that point in time I want to share with you how I use a different password with each website without memorizing them all, writing them down, or using a password manager (this is not something I invented – I’m sure many others are using this technique in various variations).
I created a formula that generates the password in my mind based on the name of the website to which I’m trying to log in. Here is an example for such a formula. I’ll demonstrate it on Salesforce.com as the website:
- Take the first two letters of the website’s name (“sa” in salesforce)
- Count the number of characters in the website name (10 in salesforce)
- Take the last two letters of the website name and replace them with the letters that follow them on the keyboard (ce —> vr)
- End with a fixed suffix (for example !!GR9)
So the password for Salesforce will be sa10vr!!GR9
All you need to remember is the formula. Never write it down and never tell it to anyone. Come up with your own formula and protect your passwords. Keep in mind that a smart attacker can always try to reverse-engineer your formula. So if your password for Salesforce is salesforce!!GR9 there is a good chance your password for Google is google!!GR9. Try to make it less obvious to the attacker that you’re using a formula – choose it wisely. Even if you do choose a strong formula, an attacker who manages to steal a few passwords from you may be able to crack your formula. Therefore, for the 2-3 really sensitive passwords you have, such as your bank account, I recommend you still keep a separate hard-to-guess password that is not based on this formula.
This is a patch to the unscalable problem of password management. You may find this patch more attractive or less attractive than storing these passwords in your phone or using a password manager, but it’s certainly better than using the same password across all sites.
And if you’re a service provider, it’s time to give your users a password free option!