For the Connected Missionary

Missionary Geek

You should have unique passwords for each of your online accounts. Reusing passwords is easy on you, but also creates a security risk by making it easy for the criminals. Here is a simple way to create a unique password for each website you visit and help you avoid some of the worst password pitfalls.

Various Strategies

Let me start by giving you a quick rundown of various password creation strategies. These are ways that let you create unique passwords. But the one I like and use, when I am not using a password manager, is the “code word plus website” approach.

Base Password

Some people recommend a base password that you use all the time and add a few characters to the end of the password that makes it unique to the website. The base password can be something like eDp9#$b2. Then you would add go to the end to make a password for Google, or am to make a password for Amazon. This would result in passwords like eDp9#$b2go and eDp9#@b2am respectively. It would only take 2 compromised passwords for someone to figure out your whole password strategy though.

Keyboard Patterns

You can type a pattern of keys as a password. Starting at A you may type every other letter down that row and back the next row until you get 10 characters. This would result in something like adgjl’\[ou. You could create a pattern that has you hitting the shift key on every 3rd character which would give you greater variety. Then you can actually write down your passwords in a list by just writing “Amazon d.” You know that you do your pattern starting at the letter d for your Amazon password.

But the strategy that my wife and I used consistently (until we moved to LastPass) and still often use for passwords that we actually have to type often is one in which you use a code word hashed within the website name. Because my wife also knows the strategy, we have a failsafe in case something happens to one of us, we will both have access to all the needed accounts.

Code Word + Website

Pick a code word that you will use on all your passwords. You could actually have several code words for added security, but I will show you how to use one and you can adapt it from there. For this example I will use the word water. For the record, please don’t use this word in building your own passwords since I have used this word for years to teach this strategy. There are many people who may be foolishly using it.

Picture of lock with the word ROOT on it.

Unique Passwords for Each Site

You will then take the code word water and mix it with the first 5 letters of the website you are visiting. We will use MissionaryGeek.com as an example. If you had a login name and password here you would use the first five letters of the name MissionaryGeek, missi, and mix that with your code word water to build your password. But there is something else you want to do with water before you create the password.

Mix your code word with capitals and numbers to come up with a word that is similar to water, but not exactly. Change your vowels to numbers and capitalize all the consonants. Therefore the word becomes W4T3R. Now it is time to combine the first 5 letters of the website name alternately with the letters of the code word.

You end up with: mWi4sTs3iR

It is not an overly strong password since it is only 10 characters made up of only letters and numbers, but I would guess that it is stronger than the passwords your are currently carrying around in your head. Plus, you can always re-build this password without having to write it down to remember it. Every time you go to the site you will be able to consistently create the password on the fly when you have to log in.

Use at least 4 characters each in your code word and in your website name. Many places won’t let you create a login with a password shorter than 8 characters.

Dealing With Odd Accounts

There are times when you need a password but it is not related to a website, or the website has a short name (shorter than 5 letters). Here is how I deal with those.

No Website Name

My home router does not have a website domain name. Therefore, when I created an administrator password for it, I had to come up with a strategy to deal with items that were not websites. For appliances like this, I use the brand name of the manufacturer. I thought about using the appliance type (i.e., router) but that is too ambiguous and could cause me to create a password that I could not reproduce. Therefore, when there is no website name involved, then I use the brand name of the product.

There are also situations where you have no name at all to combine with your code word. In those cases I have fallen back on combining my code word with another word that I always use. Of course, this means that in those situations, I no longer have a unique password because I am reusing the same code word and regular word all the time. I think it is certainly acceptable to have a handful of places that the same password will work. I just have to remember that if one of those places gets compromised, then I am vulnerable at all the other places that password is used.

Short Web Addresses

The first time I started using this strategy to create unique passwords, I panicked when it came time to make a password for my eBay account. For web addresses that have fewer than 5 letters, I include the letters in the top level domain (eg, com, net, org, etc.) until I fulfilled the 5 letter requirement. So eBay in my password becomes ebayc (for ebay.com) and the whole password would be eWb4aTy3cR.

Weakness of This Strategy

There are two major problems with this strategy. The first is, the problem of what to do when you need to create a new set of passwords because of a compromised website or device. And secondly, someone could figure out your strategy.

Changing Passwords

If one site gets compromised and you do have to change your password, then you will have to decide whether to deal with the problem as a standalone issue or change all your passwords together. This is also an issue if you have a computer, tablet, or phone stolen. Your passwords may have been saved on the device causing you to have to generate new passwords.

If you deal with just the websites and passwords that are compromised, how are you going to alter your strategy or code word? You either need to change your code word for that site and remember that it is different from all your other code words, or just build a new password for that site outside of your code word strategy. If you have a fallback code word that you can use each time you have to change a password, then you only need to remember which sites are different from the norm. However, if you decide to change the password to some password that you have to remember especially for that site, you will probably end up with a weaker password than you originally had.

Multiple Compromised Passwords

The second major weakness of this strategy is that if someone sees enough of your passwords together, they can figure out your strategy and rebuild your unique passwords that are used across the web. That is assuming they are personally looking at your information and not simply relying on a computer to do all the work. While I don’t think most hackers are spending the personal time necessary to make this connection, I do think it is a valid concern.

This is where a password manager comes into play.

Password Managers

Because of the need to create so many passwords today, there has been a new marketplace for password managers. I avoided using them for so long because I was concerned that I was at risk for a single point of failure if the system got hacked. Or, more concerning to me, was the uncertainty that someone was on the other side of the software collecting all my passwords.

I am at a point where I believe password managers with a good reputation really are handling my data like they say they are. Good ones don’t even store your passwords in a way that can be read by the maintainers of the system. The passwords are encrypted on your end and then sent to them. When you request a password, it is only decrypted when it arrives on your machine by using your master password to do the encryption and decryption. Therefore, you should not store your master password on your computer lest the machine get stolen and you lose control of everything.

My master password for my password manager is a much longer password than I normally use, but it also contains some of the elements of the above strategy so that I can rebuild it without having to remember a long complicated password.

Your Password Strategy

Do you have a password strategy that you use that you think is better than the one shared here? Feel free to share your ideas in the comments below without giving away too much information that would leave you vulnerable.

About the author

David is a missionary working with the Deaf. His focus is helping churches in Latin America start ministries for the Deaf in their communities. He currently lives with his wife and kids in Mérida, México. David also serves as the Director of Deaf Ministries for his mission board, Baptist International Outreach.

3 Comments for this entry

  • anon says:

    Password manager for everything. Lastpass, 1Password, or KeePass. A 40+ character sentence (not found in literature) as the master password. Simple, effective, and the only real threat to this scheme is a keylogger. I sleep well with this solution.

    • David Peach says:

      Thanks for the input. I am actually working on a post now that explains how to use a password manager. I let the password manager create passwords for me instead of creating them on my own now. That is, unless I need a password that needs to be memorized. Then I use this scheme, but still store the password in LastPass.

      I am also explaining how to get around keyloggers in a later post.

  • anon says:

    Yes, and really keyloggers can be eliminated as a threat with LastPass since it allows you to enter your master password with a virtual on-screen keyboard. I’m never that paranoid with my own hardware, but if I needed to log in on a public computer I would use that.

    Another significant threat is social engineering of users, password recovery questions, or even tech support. Examples:
    https://medium.com/cyber-security/24eb09e026dd
    http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/

3 Trackbacks / Pingbacks for this entry

  • […] computer, I do so with a certain process. To teach this, let’s take an example from the building unique passwords article to use as our base. The password we will use is the fictional one we created for the MissionaryGeek […]

  • […] first is about how to build good unique passwords that you can remember but that are complicated enough to be secure. You have to avoid words that […]

  • […] What Heartbleed does (or “did” since most of the vulnerable sites have been fixed) is that when your computer exchanges information with the secure website you are using, a third party could request information that is stored in the server’s RAM. Mostly that information is random nothingness. But, it could also as easily be your login credentials, and most alarming, the security certificate of the server. Of course, if your username and password were in the data that was exchange it would be a bad thing—especially if you use the same password at any other site. The bad guys would then have everything they need to pretend they are you across the web. That is why unique passwords are important. […]

Leave a Reply

Your email address will not be published. Required fields are marked *