How to Create a Strong Unique Password for Every Site, App, or Device

Okay, there are a lot of articles on the importance of creating strong and unique passwords for every site, app, or device that requires a password but if your not using a strong unique password for everything then you need to continue reading this one..  Simply put using the same password everywhere means if someone cracks your password at the message board run by your local hobby group they have cracked the password at your bank or email.  If your password isn't strong then the chances of it being cracked by a brute force attack increase exponentially.  Of course creating a strong password makes it inherently difficult to remember.  Trying to remember a different strong password for everywhere you need a password is difficult to say the least.  It is possible if you have a personal password policy for creating and recreating unique passwords for everything.

Here is how to create your own personal password policy:

1) Decide the length of your password.  I recommend between 14 to 16 characters.

2) Create a salt password.  Basically this is a strong password that will later be added to a unique identifier to create our password.  It needs to be at least 8 characters consisting of mixed case letters, numbers, and ideally symbols¹.  My recommendation is to visit Steve Gibson's Password Generator.  Pick any section of 8 or more characters from the second or third string there and memorize it (or even write it down).  Check it at PasswordMeter to make sure its complexity is very strong (it doesn't have to be a 100% but you could use the information to tweak to be so) and wahlah you have a strong password.

There are of course other ways of creating a strong password that you might find easier to remember.  Here is one I've been toying with:

1. First get a memorable phrase (perhaps a lyric from your favorite song), lets use: ThisWillCreateAStrongPassword and concatenate it down using the first (or last) letter of each word alternating case: TwCaSp
2. Next add some memorable numbers to it.  Perhaps the sum of the birthdays of two significant people in your life (you and your significant other, or mother & father) – for me that gives us 58.
3. Finally pick the first & last number from a  string of numbers significant to you (your phone number, your SS, your birthday) and use the symbols above those numbers – so for me that might be (^
4. Put them all together TwCaSp58(^

Personally I think it is easier to memorize the string from the password generator but this method has the advantage that you can recreate the salt password so long as you remember the rules of how you created it.  You can even write down the rules since a person could only create the password if they know the specific details.

3) Create the unique identifier (UI).  The easiest way is to use the name of things.  For instance for a website I would use the name of the site.  For an app the name of the app.  For a device the name of the device.  You see where I am going here.

4) Hash your unique identifier to make it stronger.  In theory you could combine your salt password and your unique identifier to come up with your final password for a specific site.  While it is a strong unique password it isn't quite good enough.  The fact is if a bad guy gets your password at one site they might recognize what you are doing and extrapolate how to guess passwords at other sites.  Hashing is a cryptographic method of taking any arbitrary message and returning a fixed length string of characters.  Since my salt password is 10 characters and I want a password that is 16 characters long, I'm going to take every 6th character from my UI till I have 6 and cap every 3rd one.  So for Newsvine my hashed UI is: isEeiS.

5) Add your salt password to your hashed UI.  The simple method is just putting one after another.  So for Newsvine the password would be TwCaSp58(^isEeiS.  Notice how it is different say the MSNBC password which would be TwCaSp58(^msNbcM.  Want to make your password stronger?  Interleave your password by adding a character from the salt password after every other character to the hashed UI.  So the Newsvine password becomes isTEewiSCaSp58(^.

There you go, you now have a password policy that creates a unique strong password for anywhere you need a password.  By remembering how you create the password you can subsequently recreate it anytime you need it on the fly.

Now here is how we make it easier to create and use.

1. Create a salt password 11 to 13 characters long (ex: TD5!MOv;a*96;)
2. Use an easy rule to hash out 2 or 3 characters from the name of whatever you creating a password for (ex: Newsvine becomes eSi)
3. Place a letter from the hash after each symbol (ex TD5!eMOv;Sa*i96; ~if your not using symbols place them after the numbers)

Now for the hard part – go change all your passwords to conform to your policy.  On the plus side this will help you get fast at doing and remembering your salt password.

Notes:

1.  Ok – best practice says that you use symbols in all of your passwords.  Unfortunately not everything will allow you to use symbols as part of your passwords (sadly this often tends to be on sites where you want to use the strongest password).  Because of this you may not want to use symbols as part of your policy.  Fortunately a long password using upper and lower case letters and numbers can be as strong as one with symbols.  In some ways not using symbols is easier to deal with than trying to create exemption for your policies.