Password Mental Algorithms

Tanya Joosten was asking today about password managers, and it being 4:30 p.m. it seemed as good a time as ever to talk about password mental algorithms, and how they can make your life easier. Here’s how they work (keep in mind this is not *my* algorithm, just an example).

First pick a good root password. You’re just going to have to remember one root, so you can afford to make it good.


Now come up with your algorithm. It should be based on some system you know with enough of a twist to obfuscate it. What the system is will depend on what you know — the periodic table, release dates of Beatles records, the stops on the Boston Red Line.

Here’s an example — take the first three letters of the domain name, express them as the NATO phonetic alphabet, and intersperse the second letter of each of those words in slots 1,3, and 5 of the password. E.g.

Google = Golf Oscar Oscar = oss = o4stYsPoG!U

Outlook = Oscar Uniform Tango = sna = s4ntYaPoG!U

This sounds incredibly hard, but in reality since you type in passwords a lot you practice the system a lot and it becomes second nature.

You want to see the Beatles example? Sure. Google has six letters, the sixth Beatles album was Rubber Soul, so maybe:


That system will give you the same password for Outlook and Twitter, but you’ll live.

Once you know the system, it’s easy to see what letters have been replaced. But a person that learns one of your passwords can’t possibly intuit the other passwords without the system. If you want to change your passwords after six or twelve months, then alter the system slightly — now it will be the third letter of the word, or slots 3,4,6. Whatever.

Again, it sounds crazy complex, but it is so much more simple than remembering 40 separate passwords, and much less nerve-wracking than putting all your passwords into a piece of software that can become a single point of failure.

3 thoughts on “Password Mental Algorithms

  1. Password aging makes this approach hard. When you have to change a password every 90 days, do you tweak the algorithm and change all your passwords, or make changes only in the aged passwords, in which case you have to remember what version you’re using this quarter? When you add periodic required changes to multiple sites, you begin to press the ability of the human memory to keep track of it all.

  2. I’ve always gone with a version of using mnemonics of a favorite phrase or saying with some leet numbers and or punctuation and a year tag. It was the best of times; It was the worst of times becomes something like IwtbotIwtwot and then Iwtb0t!Iwtw0t!13

    For mandated changes I either change the year tag to the new year (if it is) or add a, b, c at the end. Which means it generally takes at most one guess if I forget that a site has required a change.

    It’s easy to type because the phrase gets under the fingers and it’s complex enough that being hacked directly (rather than through social engineering) is the least of my security worries.

  3. s much more suitable for small businesses, individuals & firms.
    Don’t get me wrong, I use to be the same way, not until
    I stumbled upon a great opportunity that kind of changed the
    way I create websites and do business online. It is mainly aimed at being a hosting solution for major online businesses with a powerful
    server that serves you alone.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s