Coming up with unique passwords for every account is difficult and leads many people to create a system/algo. A phrase and the name of the site is the typical system many people use.
What Is A Password Algo?
A great example of a password algo and why its so bad is shown in this video below.
Not only is it overcomplicated but the other host was able to figure out her passwords.
A lot of these algos share the same idea, a phrase and the name of the site. Not everyone does the same style; some will use the whole sites name and others will only use parts of it.
To give you an idea of this my phrase will be “Bacon
- Bacon?123Facebook (Phrase + Whole Site Name)
- FacebookBacon?123 (Whole Site Name + Phrase)
- FBBacon?123 (First Letters + Phrase)
- FBacon?123B (First Letters w/ Phrase In The Middle)
- FacBacon?123 (First 3 characters of site + Phrase)
On the surface, this is a great idea. If no one knows your phrase, then you should be good, right? No. It’s got a huge issue.
Why This Is Bad
The biggest way password algos fall apart is when your password is exposed in a plaintext breach. Websites should be storing your password encrypted, but far too many sites don’t.
When (not if) your password gets exposed its nothing to figure out the passwords to your other accounts.
If the password is Bacon?123Facebook I can assume your Yahoo password is Bacon?123Yahoo or PayPal is Bacon?123PayPal. What seemed like a smart way to create and remember passwords has now backfired.
The other issue, password algos don’t work for the vast amount of password requirements sites have.
So you got your phrase “Bacon?123” but you go to sign up for a site, and it says no special characters. What do you do?
You got to have a new algo which means you have more things to remember.
What about the websites that have character limits?
One great example of password requirements is Walmart. Our password would be Bacon?123Walmart but… Walmart has a maximum of 12 characters for passwords.
And I hear many of you, “I’ll just cut it off at 12 characters and keep my normal formula.” Sure, but it’s something else for you to remember. These sites don’t put password requirements on login pages so you’ll have to once again set to memory this password criteria.
Since every website has a different password requirement, you end up complicating things. This brings me to my next point.
It Over Complicates Things
You created this password system to make your life easier and more secure, but over time it’s doing the opposite of both.
You’re stuck remembering what version of your algo was used for your many logins. “Was it the simple or complex algo” will be what you ask yourself when you forget. Or “do I leave out certain character because of length?”.
Then you run the genuine risk of a plain text breach of your password. Once they know the seed, they know all versions of the password for all your accounts.
And I hear some of you… “My password system is more clever than that.”
The Advanced Algos
Even when confronting people about this bad system of creating passwords they always have some kind of justification.
One is that they either use the first or last character of the site name. Or they use the 2nd from the left character of the name plus the 3 characters next to that one. Or they take the count of how many characters are in the URL.
The more down the rabbit hole you go with this system, the more complicated you’re making it on yourself.
What I see most often is people making these overcomplicated password systems and not use them. They may use it for the more critical sites, but the amount of effort for this is too much for the unimportant sites. They end up reverting to bad passwords and being back where they started.
It’s easy to brag about your password system online just like people brag about their perfect life on Instagram. But we all know in reality you’re still human and like greasy food and reusing passwords.
The Worst Algo I’ve Ever Seen
Before I tell you what you should do, I want to show you the worst password system I ever come across.
It started the same, pick a phrase and the name of the site, but it went way too overboard. Here are the steps.
- Count the characters in the name of the site. Example: Google.com = 10 characters.
- Add your favorite number. Example: 12
- Reverse your favorite number. Example: 21
- Using the second character of the URL count what position it is in the alphabet. The answer is 15th.
- Take that position number and multiply by your reversed favorite number. 21 * 15 = 315.
- Add the first 2 characters of the site name to the end of the answer. 315go
- Pick a special phrase and use only the first letters of it. “The sky is blue” = Tsib.
- Pick a special character = $
- Add the special to the end along with your phrase = 315go$Tsib
This is the most absurd thing I’ve ever heard.
9 Steps to create one single password. Not only that but to remember the password you have to perform these steps. What person wants to do this? Something like this is what keeps people using weak or reused passwords.
Stop making your life harder than it needs to be. Let’s see how you should do it.
Use a Password Manager
A password manager is the answer.
You only need to remember one password, and you can generate as many random and truly unique passwords as you want. They even fill in the passwords for you. It’s all encrypted and far easier and safer than a password algo.
“I don’t trust password manager” or “Aren’t you putting all your eggs in one basket” or “Anything is hackable” … I have a post that goes over this and why a password manager is still the best option we have today.
Here are the steps for creating a password in a password manager.
- Unlock password manager if it’s not already unlocked.
- Press the Generate button to create a new password.
- Save password in the password manager.
That is it. It will be only one step if your password manager is already unlocked and if your password manager autosaves or prompts to save a password you created.
I can’t imagine showing my family or anyone who doesn’t get computers the complicated 9 step process of creating a password algo. Then tell them they have to do this every time they need to sign in.
I rather give them a password manager. They can store all the passwords that fit a site’s requirements. Store security questions and other tidbits they need to know. The only thing they need to remember is one master password. They could even use my idea here for creating a strong master password that you don’t need to remember.
Here is a great video telling you why you should use a password manager.
Here is a great video on how to get started with a password manager called Bitwarden. Note: I’m not paid to promote Bitwarden, it’s just a good open source and free password manager.
Passwords Are Taxing
I remember the times before I got a password manager and how much it sucked to create a password. You would think it would be easy but put on the spot we often revert to reusing an old passwords.
This friction and needing to remember passwords is why people reuse them. This has transformed into people coming up with password systems that over the years keep getting more absurd.
Not having to come up with passwords is the most joyous feedback I get from new password manager users. It’s something that we can’t gloss over; it indeed is relieving.
Not only that but you have one master password to remember that gives you access to all your logins — no need to fiddle around and try to remember what password this or that site uses. No more pressing the reset password button and wondering why the email has not come. It’s almost magical with a password manager.
Still Don’t Trust Password Managers?
I know there is going to be a few people who will still use their algo.
I say, let’s compromise.
Pick a word or phrase.
Then use a password manager to generate and store a strong password. Before signing up for a site append your word.
My word will be “bacon.”
The password manager generates “Zfb7xUnRFL”. I append my word to the end and get “Zfb7xUnRFLbacon”. You only store “Zfb7xUnRFL” in your password manager. Before logging in your add your word.
You could even do the name of the site as your secret phrase “Zfb7xUnRFLFacebook”, “Zfb7xUnRFLYahoo”, or “Zfb7xUnRFLGoogle”.
This way every single password is unique because you give each site a unique generated password. You still need the word added to the end of it to get the right password. Sounds like the best of both worlds.
What’s Your System?
I’m curious to hear about the algos you heard of or the ones you used in the past.
Am I wrong? Do you have an algo that is far better than using a password manager?
Let me know in the comments below.