How to Stop Worrying About Online Security and Never Forget a Password Again

Howard K. KurmanPrincipal, Offit│Kurman

While the internet is a wonderful invention that has forever changed the way we interact and do business, online security has become a real pain. The average American probably has several online accounts with websites and online services. These usually cover personal email, business email, social media (e.g. Facebook, Instagram, Twitter, Youtube, Reddit, etc.), professional networking (Linkedin, Xing, Stackoverflow, etc.), device services (e.g. Apple iCloud), financial services (e.g. Turbotax, Mint, YNAB, etc.), shopping websites (e.g. Amazon, Thriftbooks, etc.), cloud backup and sharefile services (e.g. Backblaze, Sharefile, Dropbox, etc.), online media (e.g. Netflix, Hulu, etc.), news sources (e.g. NY Times, WSJ, BBC, etc.), music services (e.g. Spotify, Pandora, etc.), online payment services (e.g. Paypal, Cashapp, Venmo, etc.), online investing (e.g. Vanguard, RobinHood, etc.), online banking, and countless others based on personal and business needs. In my last personal count, I had over thirty online accounts for all sorts of purposes. Remembering passwords for all of these is not impossible and it seems like every other month another large company exposes millions of Americans’ account details to fraudulent hackers.

The topic of this article is: how do we keep all these online accounts secure while making the passwords easy to remember? We need a system that keeps our online data as safe as possible that is convenient to use.

Secure Passwords vs. Convenient Passwords.

Secure passwords must have several attributes:

  1. They must be difficult to guess. Passwords based on common words, phrases, or dates are very easy to break.
  2. They should contain varied forms of characters, i.e. lower-case and upper-case letters, numbers, and symbols.
  3. They should not be short. The password “wJh6!” is not a common phrase and contains varied characters but can be broken in 68 milliseconds.[1] Longer passwords are better.
  4. There should be no single point of access. The passwords for the different accounts should not be written down anywhere or stored in a single file.
  5. Passwords should not be reused across accounts. The last few years have shown that even large companies and government entities cannot be trusted to keep personal information secure. Therefore, if a user has the same login and password for his social media account as for his online banking account, he risks both if one is compromised.

On the other hand, a convenient password has really only two attributes: It should be easy to use and easy to remember. But who can remember 20 or 30+ complex, long and hard to guess passwords?

Frequent Solutions:

  1. Use the same password across multiple accounts. This is probably the most common solution. Most people I know have a handful of passwords that they use and recycle across several accounts. These passwords are usually appropriately long and complex. Until about three years ago, I too was guilty of this. The downside is obvious – if one account is compromised, the others will be at risk as well. On the upside, it is a convenient solution since the user has to only remember one or two passwords.
  2. Keep a written log of all your passwords. I know a lawyer who keeps all her passwords in a notebook in her purse. The downsides are obvious. Not only does this approach expose her to others reading the notebook and accessing the online accounts, but it also means that if the notebook is lost or the user leaves her purse behind, she will not be able to access her accounts.
  3. Use a password manager program to store your passwords. For most people, this is the preferred solution. A company (e.g. Lastpass, 1password, Keepass, etc.) provides a system for the user’s computer and phone in which the user can save their passwords; the list of the passwords can only be accessed with a “master password.” This combines the strengths of the first two solutions – the master password is easy to remember and having the software store the passwords means that the user does not have to remember individual passwords. This is usually the recommended solution, but it has several drawbacks that always repelled me. First, this solution – again – depends on trusting a third party with all of my online information. Not only could such a company get hacked, but if subpoenaed, it would also be compelled to provide all of my passwords to others. Second, this solution would leave me stranded if I am using another person’s or a public computer, especially if my phone is missing or broken. Third, this solution costs money (horrors!).

A Better Way

I wondered if I could come up with a better solution. A way in which I could have an unlimited number of online passwords that were at once difficult to guess, long, varied, different from one another, free, and at the same time easy to use and to remember. I found that solution. And I’ve used it for the last three years. And it’s worked like a charm. I call it the “system solution.”

The System Solution

In short, my system for passwords is similar to a password manager, except that instead of memorizing a master password that grants me access to a list of passwords, I memorize a master formula that generates the relevant passwords.

For example, a simple formula might look something like this:

“5 first letters + Loki5251@@”

This means that I take the first five letters of the service or website where my account is housed and add the phrase “Loki5251@@”. Thus, my Twitter password would be “TwittLoki5251@@”. My Spotify password would be “SpotiLoki5251@@”. These passwords are long and complex enough that they would take over a trillion years to crack[1] and they are different from one another. All I have to do is remember the meaningless[2] phrase “Loki5251@@” – I can look up the rest by looking at my browser.

But, you might say, this is far too obvious. If Twitter gets hacked anyone can see how the formula works and try it on another account. That’s true.[3] So let’s keep tinkering. How about this formula:

“5 first letters (2à) + Loki5251@@”

This means that the password contains the first five letters of the website or service followed by the same phrase, but that the first five letters are each moved two keys to the right on the keyboard. Thus, “TwittLoki5251@@” becomes “UrpuuLoki5251@@”. It would be hard to infer the formula just from looking at this password. But we can keep tinkering:

“5 first letters (2à interspersed) Loki5251@@”

This means that the password contains the first five letters of the website or service followed by the same phrase, but the first five letters are each moved two keys to the right on the keyboard and then interspersed within the following word. Thus, “TwittLoki5251@@” becomes “ULropkuiu5251@@” (Twitt à Urpuu à ULropkuiu).

The potential variations are endless, and I encourage you to make up your own. Here are some suggestions:

  1. Move each letter from the website or service one or more letters left or right or up or down (note that letters at the sides of the keyboard move over to the other side if right at the end of a row of keys. Thus, “L” if moved to the right by two, becomes “S”).
  2. Intersperse the letters with your master password.
  3. Assign a number to each letter (like on a dial pad), add the value of the numbers, and add that number to the password. Or add that number to the password and then subtract or add your birthday to/from it.
  4. Assign a number to each letter (like on a dial pad). If the number of the first letter of the website is odd, reverse the capitalization of your master password. If it is even, don’t change it.
  5. Assign a number to each letter (like on a dial pad); take the number of the second letter of the name of the website or service and count it out on the keyboard on the first line (i.e. Q=1, W=2, E=3, etc.). Then add that letter to the password.

In the end, there is no limit to how simple or complex you want your formula to be. Mine is fairly simple. The important thing is to have a formula and stick with it on all your online accounts. This is important. Three years ago, I took one afternoon off and logged into every online account that I had and changed all of my passwords. It took over an hour, but it was worth it. These days whenever I am about log into anything, I think of my formula, look down on my keyboard, think for 2-3 seconds about where the letters go, and I’m logged in. I have not had to remember a single individual password. Knowing that all my online information is safe while I don’t have to worry about forgetting passwords provides enormous peace of mind.

Q&A

What if one of my accounts gets hacked due to a security breach by the website?

The good news is that the compromised password will not work with any of your other online accounts. Therefore, you only have to focus on mitigating the damage from that one breach. But if you want to keep using this service, you will need to change your password, and that’s a problem. You cannot use the same formula-generated password again (it has been compromised), but if using a different password, then the system solution is not fully implemented, and you have to start remembering new passwords like this one. There are two solutions to this. Either you can change your formula again on all your online accounts. That may not be a bad idea if you have thought of a better formula and want to update your online security anyway. Or, you could expand your formula to make allowance for an account that had been hacked. Thus, for every website that you know had had a security breach, the password would be as determined by the formula with, for example, the addition of “kcah” (‘hack’ spelled backward) at the end.

This sounds great… but it’s a big change.

It really is. Here is my suggestion: write down your formula on paper for the first month. Keep that paper with you; put it in your wallet if necessary. For the first week, accessing websites and accounts will feel awkward. By the end of the second week, it will be second nature. By the end of the month, you will wonder how you ever browsed the internet without this approach. Then destroy the paper and live happily ever after.

[1] Test passwords out at https://howsecureismypassword.net/

[2] Actually, not entirely meaningless – “Loki” is my cat’s name

[3] Though it’s probably irrelevant. Unless you’re a person of great interest to the hacking community if your login and password information gets stolen, it usually gets stolen in bulk together with millions of other users. It is unlikely that any human would look at your password.