January 24, 2008 by alex
The general advice: We are all supposed to use a separate password that has at least 25 letters, numbers and special characters in it for everything we use on the net, because if we don’t, one compromised site gives an attacker access to all your other accounts using the same password. Think of a hacked twitter account resulting in all your emails on gmail made publicly available.
The reality: We are all lazy bastards so most uf us have one single password they use for all their accounts (am I not right?). Some of us have 2-3 passwords for different levels of trust, so the bank account and credit card sites get one, personal email gets one and all the other sites get another. A bit better already.
My suggestion: One password per site (hey I’ve heard this before). But here’s the trick (and the catch at the same time, because the passwords are similar and can hence be hacked more easily). I will use the following convention to generate a separate password that is (for me) easy to remember for each site:
Take some random sentence:
This is my personal very secure password for [...].
Say you need a password for twitter, this sentence becomes:
This is my personal very secure password for twitter.
The password will be the first letter of each word in the sentence, so for this example it’s Timpvspftw. I’m actually using the first two letters of the site’s name so the convention works for twitter and t*** (uhm. insert name of another website starting with t). To make things a bit more secure, you should change your scheme, e.g. use the last letters, or alternating between last and first.
Using more or less random letters from a sentence to generate a secure password is nothing new. It actually has been recommended for years (decades?). My only addition to this is to use the name of the service in that sentence, so you can have separate passwords and still remember them easily. And they should be fairly secure, as long as your scheme of choosing the letters and your sentence are random enough (I’m still using something different for my bank account though).
Of course the whole would be much easier with somethingh like OpenID everywhere, but until then go and make up some funny sentences for your passwords.