A different approach to remembering your passwords

Yes, we all hate having a lot of passwords. How are we supposed to remember a different password for each site? We told you about one method earlier this month. Password vaults software like LastPass can also help, but it just adds in extra steps. We just can’t stand things that slow us down! 

Can’t we just use the same password for all of our sites? That makes things a lot easier. The answer is, yes and no…

Sure you can use the same password, but that’s a really bad idea. If a website gets hacked and someone downloads the list of usernames and passwords, they will then use a program to try those against every site they can think of. If they get your gmail password, they will try your email address with it to log into banks. All the banks. And then all of the email systems. And all of the credit card companies. And all of the email systems. It goes on and on. 

Having a unique password for every site is important but hard to manage. To make it a bit easier, I use a simple technique to vary my password slightly for each site. This makes it much easier to remember and gives me a different password for each account.

Step One - The Base Password

First, I create a base password. This is the really complex part and I follow all of the standards:

  • Use alpha/numeric/special characters with capital and lowercase letters
  • More than 8 characters
  • Make it easy to remember
  • Use a passphrase

I use a sentence or a couple of words that are easy to remember. Some examples could be:

  • The Phillies are due for a World Series Championship - I would take the first letter of each word and make it TPadfaWSC. Note that this includes capital and lowercase.
  • Rowan Profs - You could take out the space and make it RowanProfs.

Step Two - Substitutions

Take those passwords and substitute some special characters and numbers for the letters. I use things that look similar, like a zero for an O, a 9 for a G, the plus sign for a T and an exclamation point for an i (yes, it’s upside down but it works for me). 

That turns the examples above into:

  • TPadfaWSC becomes TP@df@W5C! - I substituted @ for lower case A, 5 for the S and I was excited about it so I put an exclamation point at the end. 
  • RowanProfs becomes R0w@nPr0f5 - I think you get the idea.

The Last Step - Making Unique Versions

If you use the password R0w@nPr0f5 on every site, as soon as one site is hacked, your credentials will be all over the internet and tried on hundreds of other sites. Eventually the hackers will find another site where you used it and get to your stuff. To make the password site-unique, you can simply append something specific to that site. For example, you can make the password for your 401k site R0w@nPr0f5401k. If you use Gmail, you could make that password R0w@nPr0f5gmail. In both of these cases, it was the base password with a unique ending that should be easy to remember. If you want to log into your Gmail account, you just have to remember your base password and the specific site itself should be able to remind you what the unique part is. 

The security benefit this provides is that it saves you from the most common type of attack, where a program checks passwords against multiple sites. Practically speaking, it helps you remember secure passwords without having to always open a password vault program. 

In the security field, we have to figure out the best method to help people do what they are trying to do but also be secure. This is just one more option to think about. 

By Jerry Patterson, Director of Information Security

October is National Cyber Security Awareness Month, a global effort to help everyone stay safe and protected when using technology. While cyber security can seem overwhelming, this month Information Resources & Technology is focusing on simple steps you can take to defend your online life. Visit go.rowan.edu/ncsam for more tips.