A Base Phrase Approach to Password Management

Password management software is a great way to manage passwords, as I write about herehere and here. However, it is possible to manage passwords quite well without software, using what I call a “base phrase approach”. The basic idea behind this method is to pick a phrase or word. Transform it into a very strong base password, to which a few letters are added for each different account.

I have been reluctant to post this article as I continue to strongly believe that using a password manager is a much better approach for most people. But having seen a few articles recently describing how to manage passwords without a password manager, I felt the time was right to complete the series on password management.

Read on for specific, detailed examples of how to implement the base phrase approach.

How to Make Good Passwords Using a Base Phrase Approach

This first example illustrates the basic concept: You start with a base password (in this case, “password”), and then you construct the passwords for your Facebook, Gmail, and Chase accounts by using the same rule for each account—in this case, appending the name of the service.

Base Phrase: password
Addition method: append name of service to the end of the base phrase

Example passwords:
Facebook – passwordfacebook
Gmail – passwordgmail
Chase – passwordchase

These kinds of passwords are too obvious, so we need a far better base password, but still easy to remember. So let’s take a phrase you remember but is unguessable, and convert it to a “base phrase” by using the first character of each letter in a logical way, using symbols and capital letters when possible. Use a phrase that is easy for you to remember, such as an interesting fact or a line from a song or poem. For example, let’s say you got a Porsche for your 18th birthday and loved it:

Phrase: For my 18th birthday I got a Porsche 911.  Expensive, but I love it!
Base Phrase: Fm18bIgaP911.$bIli!
Addition method: add name of service to the end of the base phrase

Example passwords:
Facebook – Fm18bIgaP911.$bIli!facebook
Gmail – Fm18bIgaP911.$bIli!gmail
Chase – Fm18bIgaP911.$bIli!chase

These are much stronger passwords and individually very difficult to crack, but there is still a problem. If one of your passwords gets captured, the attacker will do the obvious:  try the same base phrase for all of your other accounts, using the same rule. So we need a better method for naming the service that is much less obvious to an attacker, but easy to remember. Here is one such method:

Phrase: For my 18th birthday I got a Porsche 911. Expensive, but I love it!
Base Phrase: Fm18bIgaP911.$bIli!
Addition method: Transform the first and last letters of the service into other characters by shifting one letter to the right on the keyboard. Insert first transformed character before the base phrase. Append last transformed character after the base phrase.

Example Passwords:
Facebook – gFm18bIgaP911.$bIli!l
Gmail – hFm18bIgaP911.$bIli!;
Chase – vFm18bIgaP911.$bIli!r

With only one captured password, it would be difficult for an attacker to identify which part of the password is the base phrase. On the other hand, if two or more passwords were captured, an attacker could very easily identify the base phrase portion. Armed with this information, the attacker could use brute force methods to crack the rest of your passwords. This is still a vast improvement over standard password management for most people and would thwart many forms of automated attack.

It is also possible to construct more complicated rules that combines your base phrase with the name of the service into a password which eliminates the base phrase altogether. Called “password hashing,” this is considerably more secure than what I outlined above, but far too difficult to implement manually. For more information about password hashing, including helpful tools, read here.


To sum up the above discussion, here are some guidelines to setting up your own personal base phrase system:

  • The total password length (base phrase + additional characters) should be 15 or more characters.  I explain why, here.
  • The “base phrase” should be easy for you to remember and type, but impossible for others to guess.
  • You may want to avoid using special characters in the base phrase, as not all sites accept them.
  • The discovery of one password should not imply the others. Use a rule which transforms the additional characters into something else and appending them in a way which is not too obvious.

Gina Trapani of lifehacker fame is an advocate of a base phrase approach (which she refers to as a key with a pattern). You can read her take on the subject here, or even see a video she prepared, here.

A more recent article on this subject was posted to the New York times blog, here. In a follow-up comment, author David Freedman challenged his readers to discover the password he thought up for accessing his nytimes.com account (mcZ3sbja) using an algorithm he devised in his head in 4 seconds. Guess what? A reader quickly figured it out, as described here.

Closing Comments

Correct implementation of the base phrase approach requires considerable care and discipline, and for this reason I do not recommend this approach for most people. There are also other disadvantages compared to a password manager, such as being less convenient to use, not working for sites that require short passwords, and requiring that all passwords be changed if one suspects multiple passwords have been captured.

Nevertheless, some people are very reluctant to entrust software with something as critical as passwords. A base phrase approach correctly used may not be as effective or convenient as using a password manager, but it is a far better method for managing passwords than that practiced by the average Joe.

Author: Joe Golton

I’m a dad with a son who loves baseball. Professionally, I’ve been a software developer, investor, controller, and logistics manager. I now make my living from this blog, supplemented with occasional consulting gigs.

Leave a Reply

Your email address will not be published. Required fields are marked *