Unique, Secure, Memorable Passwords

An easy way to generate a unique, memorable but secure password for each website or service you visit is to apply the following recipe:

  1. Start with a base word. This can be anything, but the weirder the better. This will stay consistent across your passwords. For the purposes of explaining this technique, the base word will be “Redux”.

  2. Next take the name of the website or service. Let’s say we are creating a password for Reddit. Take a number of specific letters from the name. Let’s say that we always take the first 2 letters from the site name. This gives us the letters ‘R’ and ‘e’. If you want, instead of taking the first 2 letters you could take the first and last letter, or the first 3 letters. It doesn’t matter. What matters is to always take the same number of characters from the same position of each website.

  3. Next, use an algorithm. This algorithm will be unique to you, but is a way of mixing the letters you have extracted from the website into your base word. A simple algorithm might be to prepend the letters to your base word. Your password then becomes “ReRedux”. A slightly better algorithm would be to increment the letters by one character. This means that “Re” -> “Sf”. Then merge the resultant characters into the first and third positions of your base word. Your password for Reddit then becomes “SRfedux”.

This combination of using a unique base word, that is consistent across all your passwords, but modifying it using an algorithm based on the website name will allow you to construct passwords that you can remember, but are different for each site you need to log in to.

EDIT: OK, based on the Reddit comment thread it turns out that I didn’t properly explain the rationale for using a combination of the website name and some constant stream of characters is to try and create a unique password for each individual site. You want to have a unique password per site because a lot of sites store your password in plain-text. If one site gets cracked, you don’t want the attackers to be able to compromise your identity on other sites you have an account on. Also, using a passphrase or the first letters of words in a passphrase as your base word is obviously more secure than using a dictionary word.

EDIT 2: It seems people are worried about the entropy of the generated passwords. Obviously, they are not completely random, but to give you an idea on how secure they can appear, here are some passwords generated from the same base word and algorithm for different sites:

Site Password
reddit u-gCv*9^x%
slashdot 8D%4sXaN05
hackernews z-hRvL9&p%

The algorithm that generated these passwords was fairly simple. A slightly more complex algorithm would generate different length passwords. The key takeaway is that if an attacker gets hold of the password for the reddit site, it is extremely unlikely that they will be able to reverse-engineer the passwords for the other sites.