A while back I wrote a post<\/a> on techniques to generate strong but memorable passwords. This clearly struck a chord with a number of you \u00a0judging by the number of questions it sparked.<\/p>\n\n\n\n One of the most commonly asked questions was whether it is better to have a single very strong password and use this for every log-in or to have a separate password for each site.<\/p>\n\n\n\n The answer is that each approach has things in its favour but for me I just don’t like the idea of having one that does everything.<\/p>\n\n\n\n Thinking about it everyday terms: would you have one key which could open your house, car, and office?<\/p>\n\n\n\n The way you answer that question will probably answer the “one-or-may” password question.<\/p>\n\n\n\n It’s OK, it’s your choice, but just make sure that it is seriously strong and don’t even hint that you you use the same password for everything.<\/p>\n\n\n\n After all, if some knows that you use the same password for everything it makes you much more attractive as a hacking target.<\/p>\n\n\n\n Some people advocate using an entirely different password for each service. While I respect their views this is a bit extreme for me.<\/p>\n\n\n\n My approach is to use a strong stem password, using the techniques I outlined in the post “Passwords – Strong or Memorable<\/a>“, and add something to it which is specific to each log-in.<\/p>\n\n\n\n The trick is to disguise the add-on to avoid giving clues to any would-be hacker. As and example, if I banked at HSBC, I could just add “HSBC” to the end of my strong password stem.<\/p>\n\n\n\n To make it more secure I personally use techniques like substitution, word joining and using foreign words as I discussed in my last blog post<\/a>, to disguise the add-on.<\/p>\n\n\n\n Let’s use the BBC as an example. Clearly adding .BBC to your strong stem would work, and for something as like the BBC website would probably be OK.<\/p>\n\n\n\n But let’s assume that you want your BBC web site preferences to be kept more secure than that.<\/p>\n\n\n\n We know that we can use substitution but BBC does really lend itself to this. However something like 88( would probably be an improvement.<\/p>\n\n\n\n The next tack is to use foreign words. The problem for me is that there is no obvious translation of BBC that would be better than the English version from a substitution point of view.<\/p>\n\n\n\n What I would do in this case is a bit if lateral thinking. In the UK the BBC is often referred to as “The Beeb”. “Beeb” makes me think of “Bee”.<\/p>\n\n\n\n Translating “Bee” gives “Abeille” (French), “abeja” (Spanish) “Ape” (Italian) and “Beine” (German).<\/p>\n\n\n\n Taking the first three letters of each and applying substitution gives:<\/p>\n\n\n\n Abe > ^b3 (French and Spanish) The key point is that none of these have any obvious connection to the BBC.<\/p>\n\n\n\n Many of us buy from Amazon. Given that Amazon hold your credit card and address details it is reasonable to want your login to be secure.<\/p>\n\n\n\n Something simple like ^m@ would work but to be really secure another dose of lateral thinking can really improve things<\/p>\n\n\n\n Here’s my suggestion: Start with the sentence: “T<\/strong>he A<\/strong>mazon is a r<\/strong>iver i<\/strong>n Brazil and b<\/strong>y s<\/strong>ome measures is t<\/strong>he l<\/strong>ongest river in t<\/strong>he w<\/strong>orld”. Then take, as an example, the first letter of alternate pairs of word to make a new word.<\/p>\n\n\n\n In this case we get TAribstltw. Apply some substitution according to your preferred pattern to give something like T^r16st!t” and take what ever chunk of this that you want for your add-on.<\/p>\n\n\n\n Adding my preferred three characters, ^r1, to my foreign language password from by previous blog post would give\u00a0318htK^f.^r1 for my amazon password.<\/p>\n\n\n\n Is such a password totally secure? In terms of hacking by guessing a password then yes, in all practical terms it is.<\/p>\n\n\n\n To be a bit more objective I tested it using www.passwordmeter.com<\/a>\u00a0and howsecureismypassword.net<\/a><\/p>\n\n\n\n The former rated it as “Very Strong” while the latter reckoned that it would take a computer\u00a041\u00a0quadrillion years to crack.<\/p>\n\n\n\n Whether or not you believe the actual number that howsecureismypassword.net<\/a> gives, the example password is clearly seriously strong.<\/p>\n\n\n\n My approach to passwords is just one way of going about it. Another approach is to use a service like Last Pass<\/a>, a browser based password manager.<\/p>\n\n\n\n Lastpass is available as an extension for all the major browsers and for android and IOS.<\/p>\n\n\n\n How you generate and use passwords is your choice. The way I look at it, the most important step is to move away from easily guessable regular words.<\/p>\n\n\n\n Even some very simple substitution can make a password much harder to crack. As an example, according to\u00a0howsecureismypassword.net<\/a>\u00a0my surname as password would be instantly guessable by a computer equipped hacker.<\/p>\n\n\n\n Tweaking it to W1ndm1ll would on average take the same hacker 4 days while going further to W1n9^^1ll would take up 4 weeks of the hackers time. Adding a site specific extension, say “.P@55” takes the crack time to 4 Billion years<\/p>\n\n\n\nAnd the answer is……<\/strong><\/h4>\n\n\n\n\n\n\n\n
If you are happy with one password?<\/strong><\/h4>\n\n\n\n
Using multiple passwords<\/strong><\/h4>\n\n\n\n
An example<\/strong><\/h4>\n\n\n\n
Ape > ^p3 (Italian)
Bei > 83i (German)<\/p>\n\n\n\nAnother example<\/strong><\/h4>\n\n\n\n
How secure is a password?<\/strong><\/h4>\n\n\n\n
Is this the only way?<\/strong><\/h4>\n\n\n\n
How far should\u00a0should I go with my passwords?<\/strong><\/h4>\n\n\n\n