I have a different password for every website and all of them are similar but have a specific variation based on the website.
I heard this question on the latest Q&A of Security Now and thought of you
Leo: Marcus in Calgary is wondering about making his own secure passwords: I saw somebody suggest that you use a personalized set of rules when making passwords. That way you just have to know the rules, and you can figure out what the password was. For example, say I sign up with Amazon, and I set up these rules - and of course these are just example rules: Take first seven letters from the name of website after the www. and before the next dot. If less than seven letters, then just add 1, 2, 3, and so forth. Place a 5 between each character from Step 1. Replace all vowels with FluffyKitty27. If there are no vowels, just place FluffyKitty27 at the end. And then add a bang, an exclamation mark, after every lowercase or uppercase "F." What do you think, good way to generate a secure password?
Steve: Okay. That would be a good way to generate exactly one secure password. Because the problem is, anyone who were to capture that password, if Amazon.com were to lose control of their database...
Leo: Which happens all the time. Not with Amazon, but with others.
Steve: Not with Amazon, but unfortunately it's all too common. They could scrutinize that, knowing what domain it came from, and reverse engineer your funky little algorithm. That's why I went to all the trouble of developing the Off The Grid system, which I still need to finish the - it's all done, I mean, it's all documented. We did a podcast on it and everything. I just never took the pages public because I wanted to give it one final reading and solve a couple other - and, like, beef up the FAQ a little bit further.
But the whole concept with Off The Grid was that it was a similarly non-computer - it was an experiment. Can I develop a paper-based approach where each website encodes to something completely unique so that seeing one of them tells you nothing about any of the others. And so that's - certainly using a pseudorandom sequence and a database gives you that, no association between them. My system was a cryptographic, a paper-based cryptographic association which was strong cryptographically.
But the problem, Marcus, with your approach is that, as we said, if you saw one or a couple, you could figure out what the algorithm was and then guess your password for some other website in order to break in. And that's the weakness.
Leo: Yeah. You know, you don't have to stretch too far. It's well known how to do this. Get LastPass, which you've vetted.
Leo: And, boy, the more I use it, the more I love it.
Steve: Same way. It is my go-to solution.
Leo: Have it generate completely random long passwords.
Steve: And then it remembers them.
Leo: And let it remember them. You don't have to. I don't know my password for anything anymore except LastPass. And that's one where you could make it something that you can generate, and that's what I do.
Steve: Really screwball.
Leo: You know, I'll use this as an example because I read it once, and I certainly don't use it. But if you go through the last eight presidents, let's say, or make it 16 presidents of the United States, uppercase the Republicans, lowercase the Democrats, and then add a number for the number of years their term stretched, now, that's a good example of you're going to have a nice long password.
Steve: And we're going to give you an "A" in political science if you've even able to do that.