The problem of choosing a password is probably one of the most annoying things anyone has to do on the web these days. It isn't even enough that many of us have tens if not hundreds of online accounts behind which lies information of varying levels of security and value. Many of those accounts also require different levels of security in their password requirements. The problem of standardizing on a set of rules to dictate password creation is a topic for another discussion, however. We all know we're not supposed to use the same password for multiple accounts, we've seen the statistics but many (probably most) of us still do it. 

A number of months ago someone broke into my Facebook account using a password that had been obtained from another site with shoddy security. I had been using that password on a number of sites, and it finally caught up with me. Like for many, that event catalyzed my need to come up with a new system, but it had to be one that would yield the Holy Grail of passwords: ones that are unique, retrievable, and secure. I had my work cut out for me. It's easy to see why so many people have insecure passwords. Creating unique, retrievable, and secure passwords is difficult.

Unique passwords must be different for each site, and must not be guessable. So a password like "facebook123" is bad because if someone figures that out, they can figure out your other likely passwords.

Retrievable passwords must be ones that you can remember on your own, without the need for 3rd party software. You must be the master of your own passwords, in case you find yourself without that application. 1Password is very popular, but if someone figures out your master password, then all of your other passwords are compromised. And what's worse, since you don't have all those passwords memorized, you're effectively locked out of those accounts.

Finally, secure passwords are ones that contain letters in mixed case, numbers, and some special characters. Also, passwords should be at least 8 characters long. The longer and more convoluted, the more secure.

As the saying goes: pick two. It's easy to create passwords that are secure and retrievable, but you're probably going to only have one or two that you switch between. Programs like 1Password are great at generating unique and very secure passwords, but they come at the expense of not being able to retrieve those passwords without the aid of the program¹. And clearly, passwords that are unique and easily retrievable are most likely not very secure (i.e. facebook123, passwordwellsfargo, etc). 

So what to do about all this? Here's the solution I came up with that so far has worked very well. After reading this you'll have no excuse for using the same password for every site, or for using easily guessable derivative passwords for all of your accounts. 

One Solution 

I created a formula for generating each new password. The formula doesn't change, but by including a number of variables that do change—predictably—as well as elements that don't change, I am able to create passwords that are unique, retrievable, and secure.

For example, I might begin each password with a memorable phrase, say "Only the Strong Survive". But since that's pretty long, I'll use the first letter of each word, so the beginning becomes "otss". Further, I may change the capitalization on every other letter, so it might look something like this instead: "OtSs".

To this I might add a number that I know well—perhaps the number of my favorite Rush album, giving me something like OtSs2112.

The next step is to add something that will change with each subsequent password, but change in a way that is predictable. You might choose to tie this to the name of the company or website to which the password applies, so it's easy to remember. For instance, Facebook might be changed by shortening it to the first 3 and last 3 letters, so it becomes "FaCoOk" giving me a password of OtSs2112FaCoOk which meets all three criteria. Well, almost.

It's important to make sure that if someone figures out or hacks one of your passwords that they won't be able to guess any of your other passwords. If they guess that "FaCoOk" refers to Facebook, they might also guess that something like "WacVia" refers to Wachovia. So to really obfuscate things, it's good to break up the part of your password that changes so it becomes completely unrecognizable on its own. Perhaps you split up the first three and last three characters around the number portion of the password, so "OtsS2112FaCoOk" becomes "OstS21FaC12oOk". Following the same formula, your password for your Wachovia account could be OtSs21WaC12hOv.

The password looks ominous, and if someone figures out one of these passwords, it's extremely unlikely they'd be able to figure out any others. Breaking it down into chunks makes it easy for you to remember because it follows a formula that only you know. Also, the beauty of this method is that each time you login somewhere, although the specific passwords are different, you're using the same formula over and over which reinforces it in your mind.

You can change any of these specific methods or add special characters like !@$ (in fact I urge you to), but the basic premise remains, and should allow you to create passwords that are unique, retrievable, and secure.

I'd like to say this method is perfect, but it is decidedly not so. The problem that I run in to far too often hearkens back to the issue I raised at the beginning of this article: there are no standard guidelines for password creation across the web. While for most websites this method will work just fine, you'll run into sites that are excessively restricting in what they'll allow you to use in your passwords. Some must be no longer than 12 characters, and while often you'll be required to use special characters, sometimes you'll be prohibited from doing so.

My solution to this problem is to come up with a second formula, maybe one that's shorter and that doesn't contain any special characters. Even this method has its issues though, since there's no telling how many different rules you may run into and whether any two particular formulas will even be able to cover all possible allowable configurations. Then there's the problem of remembering which formula you used for which website. No, it never ends, but this method has served me quite well, and so far I've only had to remember two different formulas.

Now that you've read this, go create your password formula. Right now. Once you've done that, as you come across any site to which you have an account, change your password. Takes about 2 minutes. Put a stickie note on your monitor if you need to. After a few times you'll easily get the hang of the formula and before you know it all your passwords will be unique, retrievable, and very secure.

¹1Password does allow you to create your own passwords, so it's not as if every 1Password user has passwords that are not retrievable. However, using a service like this reduces your ability to recall a password since most of the time you don't have to enter it. I still believe the best passwords are ones that don't require the use of external storage mechanisms.←