I don’t know why, but I’ve been thinking a lot lately about how I manage my online passwords. I did a quick survey at work and found that most people (myself included) use the same password for many websites. This might not seem like a big deal, but what would happen if somebody got hold of your password? They’d have access to every site you use that password on.

To solve this problem, I came up with a list of criteria for the best password policy

  1. I need a different password for each site I use.
  2. The passwords need to be strong (not dictionary words, have upper case, lower case, numbers, punctuation, etc).
  3. The solution needs to be portable (I’m not always at my own computer).
  4. The solution needs to be difficult to compromise.

The first thing I thought about was a password manager like KeePass, but this violated criteria number 4. The way KeePass and many other password managers work is by using the idea of a “Master Password”. You enter the master password into KeePass, and you have access to all your other passwords. KeePass is designed to be portable by allowing you to install it on a USB stick. The problem with this is the potential that somebody could discover my master password, and have access to all my passwords if they stole my USB stick. Also, I could easily lose (or forget to carry) my USB stick, in which case I’d be out of luck.

I also thought of installing a web-based password manager script on my server, but that has the same inherent problems that a disk-based password manager has, except instead of losing the device, the server could go down at an inconvenient time leaving me without my login information.

I read about a plugin for Firefox that also used a master password function, but it would create website passwords by using the domain name of the site as a seed for creating unique random passwords. While the plugin still violates criteria number 4, it got me thinking about using the domain name to create passwords.

What I decided to do is to come up with an easy-to-remember algorithm that I could apply to a website’s URL to give me a really strong, unique password. For example, your algorithm could be this:

  • Convert every other letter in the URL to upper-case.
  • Interpose the letters of your favourite pet’s name into the domain name.
  • Add a predefined string (maybe the month of your birth ex:March) to the end.

If your favourite pet’s name was Fluffy, and your birth month was March, and you applied this to hotmail.com, you would get HfolTfmfAfiyL.CoMmarch. For gmail.com, you’d have GfmlAuifLf.yCoMmarch.

These passwords look too hard to remember, especially if you had to remember a different one for each site you were registered at, but the beauty of this policy is that you only need to remember the algorithm you used to create the password.

This is the best personal password policy I could come up with. If you have any other good solutions, please let me know.