Recipe: Easy to remember, service specific and secure passwords

4 points by torstesu ↗ HN
People, even tech-savvy ones, have a tendency to use a single or a low multiple of different passwords for different services, making them vulnerable to unauthorized access.

The challenge is how to make strong, service specific passwords which are easy to remember. Here is a recipe:

1. Construct a complex password key with a minimum length of 8 characters, e.g -Kr/2.pq4. 2. Make an algorithm based on the URL. E.g. news.ycombinator.com a) Take the last 4 characters in the URL, excluded the domain suffix: ator b) Shuffle the letters in a based on your algorithm: orat 3. Combine the password key and the output of your algorithm: orat-Kr/2.pq4 4. Always enjoy individual, secure and easy to remember passwords for any services.

The algorithm you use can off course be more complex, e.g. adding a characters in between, but the basic idea should be explained.

6 comments

[ 2.8 ms ] story [ 21.3 ms ] thread
Or, instead, you simply get yourself a copy of Password Gorilla ( https://github.com/zdia/gorilla/wiki ) and let it both generate truly random passwords for each service and securely store all those unique, truly random, passwords for you.
True! Personally, i prefer remembering them by heart as i often need to access services from different devices, e.g. my smartphone. But for users not in the need of mobility, Password Gorilla will suffice.
As soon as a full Tcl/Tk environment is available on Android, Password Gorilla should run on an Android smartphone. Not there yet, but someday it will happen.
Agree. On any given day I'm using so many devices at work, home, trying out Live CD's, etc. that I need some algorithm that I can just memorize and type in.
I do random-generated passwords for important things like root accounts, FTP accounts, and business-related email accounts, but then use a formula similar to the one in the first post for every-day stuff like forums, web apps, gmail, etc, so I can type them in from memory when i'm using them multiple times a day.

Oh, and KeePass (on my Android phone, Macbook, and home Win 7 PC) + Dropbox = heaven. The whole idea of a multi-platform password store with it's actual database file kept in Dropbox (or similar) is something i've been dreaming of and begging for, for years.

After HBGary I went through and implemented this (throwing in algorithmic based use of symbols and prepending & appending algorithmic components.)