Password strength, password management, password memorization, password bla bla bla. We spend half a day writing (or saving in browser) password for any damned service we use online. And we always use the same passwords, because surely we know that is a bad (ugly!) habit, but we really can't memorize so many abstract things.
A lot of articles has been written ont this argument. A lot of good advices have been adviced. XKCD has suggested, in my humble opinion, one of the best methods to generate a single, long, secure password:
But still, this is a good method to remember... one? three? six? different password. If you try to set a different password for every service you'll quickly have a lot of possible permutations to remember: «So, for gmail was correct horse battery staple, for github wolf cucumber pencil mug, then for slack is penguin banana honey bacon? Or it was honey wolf banana honey?»
So, my personal solution is simple. Aren't we developers? Aren't we everyday managing algorithms? Aren't algorithms our daily tool to resolve problems? So, why don't we use an algorithm to generate a unique password for every site?
The algorithm has to be simple, because we'll have to run in in our brain. For example:
- The first three letters of the second level domain, in NATO phonetic alphabet, camel cased
- An open square bracket
- The length of second level domain, in letters
- The lenght of the first level domain, in number
- A square bracket closed.
Obviously I've made up this algorithm for this post, so don't try it on my accounts! :-) By the way, it's complex but can be easily remembered, and generates different passwords for every site:
|Site or service||Generated password|
And so on. Obviously everyone can improve his algorithm as he wish: adding other symbols depending on any parameter, inverting the order of characters, adding a simple Caesar encryption... There are no limits, just the mental complexity everyone decide is affordable.
For the most paranoid ones (and when we talk about security we surely should be all paranoid), the algorithm should be quite robust also if a single password gets violated. Il some bad hackers should violate github and in some way get our password, a human being reading
GolfIndiaTango[six3] could understand the phonetical part, and think about the possibility of an algorithm approach, and try it on other services we use. I think it's a remote possibility, because it can happen only if someone is targetting exactly you, and normally this isn't the case. But still is a possibility, so every one must choose his algorithm carefully.
I've never read anything about this algorithmic approach, but I've not searched about either, so as we say in Italy maybe "I've discovered the hot water". But I really love reading your considerations about.