Password management software is a great way to manage passwords, as I write about here, here and here. However, it is possible to manage passwords quite well without software, using what I call a “base phrase approach”. The basic idea behind this method is to pick a phrase or word. Transform it into a very strong base password, to which a few letters are added for each different account.
I have been reluctant to post this article as I continue to strongly believe that using a password manager is a much better approach for most people. But having seen a few articles recently describing how to manage passwords without a password manager, I felt the time was right to complete the series on password management.
Read on for specific, detailed examples of how to implement the base phrase approach.
How to Make Good Passwords Using a Base Phrase Approach
This first example illustrates the basic concept: You start with a base password (in this case, “password”), and then you construct the passwords for your Facebook, Gmail, and Chase accounts by using the same rule for each account—in this case, appending the name of the service.
Base Phrase: password
Addition method: append name of service to the end of the base phrase
Example passwords:
Facebook – passwordfacebook
Gmail – passwordgmail
Chase – passwordchase
These kinds of passwords are too obvious, so we need a far better base password, but still easy to remember. So let’s take a phrase you remember but is unguessable, and convert it to a “base phrase” by using the first character of each letter in a logical way, using symbols and capital letters when possible. Use a phrase that is easy for you to remember, such as an interesting fact or a line from a song or poem. For example, let’s say you got a Porsche for your 18th birthday and loved it:
Phrase: For my 18th birthday I got a Porsche 911. Expensive, but I love it!
Base Phrase: Fm18bIgaP911.$bIli!
Addition method: add name of service to the end of the base phrase
Example passwords:
Facebook – Fm18bIgaP911.$bIli!facebook
Gmail – Fm18bIgaP911.$bIli!gmail
Chase – Fm18bIgaP911.$bIli!chase
These are much stronger passwords and individually very difficult to crack, but there is still a problem. If one of your passwords gets captured, the attacker will do the obvious: try the same base phrase for all of your other accounts, using the same rule. So we need a better method for naming the service that is much less obvious to an attacker, but easy to remember. Here is one such method:
Phrase: For my 18th birthday I got a Porsche 911. Expensive, but I love it!
Base Phrase: Fm18bIgaP911.$bIli!
Addition method: Transform the first and last letters of the service into other characters by shifting one letter to the right on the keyboard. Insert first transformed character before the base phrase. Append last transformed character after the base phrase.
Example Passwords:
Facebook – gFm18bIgaP911.$bIli!l
Gmail – hFm18bIgaP911.$bIli!;
Chase – vFm18bIgaP911.$bIli!r
With only one captured password, it would be difficult for an attacker to identify which part of the password is the base phrase. On the other hand, if two or more passwords were captured, an attacker could very easily identify the base phrase portion. Armed with this information, the attacker could use brute force methods to crack the rest of your passwords. This is still a vast improvement over standard password management for most people and would thwart many forms of automated attack.
It is also possible to construct more complicated rules that combines your base phrase with the name of the service into a password which eliminates the base phrase altogether. Called “password hashing,” this is considerably more secure than what I outlined above, but far too difficult to implement manually. For more information about password hashing, including helpful tools, read here.
Guidelines
To sum up the above discussion, here are some guidelines to setting up your own personal base phrase system:
- The total password length (base phrase + additional characters) should be 15 or more characters. I explain why, here.
- The “base phrase” should be easy for you to remember and type, but impossible for others to guess.
- You may want to avoid using special characters in the base phrase, as not all sites accept them.
- The discovery of one password should not imply the others. Use a rule which transforms the additional characters into something else and appending them in a way which is not too obvious.
Gina Trapani of lifehacker fame is an advocate of a base phrase approach (which she refers to as a key with a pattern). You can read her take on the subject here, or even see a video she prepared, here.
A more recent article on this subject was posted to the New York times blog, here. In a follow-up comment, author David Freedman challenged his readers to discover the password he thought up for accessing his nytimes.com account (mcZ3sbja) using an algorithm he devised in his head in 4 seconds. Guess what? A reader quickly figured it out, as described here.
Closing Comments
Correct implementation of the base phrase approach requires considerable care and discipline, and for this reason I do not recommend this approach for most people. There are also other disadvantages compared to a password manager, such as being less convenient to use, not working for sites that require short passwords, and requiring that all passwords be changed if one suspects multiple passwords have been captured.
Nevertheless, some people are very reluctant to entrust software with something as critical as passwords. A base phrase approach correctly used may not be as effective or convenient as using a password manager, but it is a far better method for managing passwords than that practiced by the average Joe.
As you know, I am an advocate of password management systems. But if you do need to memorize more than half a dozen passwords (but fewer than a few dozen), then the scheme you present may work.
I have my doubts that it would work practically for more than a few dozen passwords. People would start having trouble remembering or reconstructing the site specific material. But this, as they say, is an empirical question. I would love to hear from people who have tried this.
This reminds me of a scheme I used 25 years ago for various ATM cards. I would have a scrap of paper in my wallet that listed a few phone numbers. The last four digits of those phone numbers were subtracted (mod 10) from a four digit key.
To make things simple, suppose the key is 5555, and one of my cards had the PIN 1337. I would then have a phone number what would have something like 973-6882. If you add 5 to each of those last for digits (wrapping around to 0 when you reach 10), you get back to 1337.
There is one crucial point why this was sufficient back 25 years ago, but isn’t today. If someone got hold of your card, they could try only a few times before the card got taken by the machine for too many incorrect PIN entries. So the system only needed to prevent the attacker from discovering the true PIN within the first few guesses.
Most modern systems don’t behave that way. Attackers can sometimes have an unlimited number of times to guess and can automate the process. And so schemes like my PIN one and these basename schemes, while fun to devise, may not provide the kind of defense that is needed when considering a modern attacker.
Jeff – Thank you very much for your insightful comments and interesting memory scheme for ATMs. I agree with you. Using a password manager is easier and more secure for most people. Unless you are very clever, an algorithm for devising passwords will only take you so far. I decided to post this only because I’ve seen so many other people posting about this lately and felt the need to complete the series.
Jeffrey — on the subject of PINs, and bearing in mind your valid point about the limited number of tries someone has to guess a card’s PIN, you may be interested in a scheme I came up with a while back, described in my wibble article ‘Pinning down the PINs‘. It has the distinct advantage of not requiring any numerical hoop-jumping — something that may be of benefit to some 🙂
(As your comment was posted over three years ago, a friend of mine would accuse me of being ‘late to the party’, but I still maintain that communication on the innerwebz has the dual benefit of being asynchronous and public; old comments need never die if they still have relevance.)
Joe — thanks again for continuing to maintain your fabulous password advisory resource. I point folk here every chance I get!