I ran across the following rule many years ago in what looks like a student paper (PDF link) by a fellow named Bernie Thomas and posted on the SANS site. SANS is a security training organization. For sites where minimal security is a criterion, I tend to favor using this rule as it's generally easy for me to remember. For high security, I rely on 1Password to generate hard-to-crack passwords. However, I can only use 1Password on my MacBook at home, and cannot easily access its stored information on my Windows PC at work. Therefore, I prefer having a simple password-creation routine that I can use to access low- to minimum-security sites in both locations.
The paper dates from 2005 and it could be argued that the world it was created for has already passed. Google and now Dropbox are offering two-factor authentication to provide extra security for sites that can hold the keys to your online identity. However, if you don't have a password-generation program, Bernie's paper contains several different algorithms for generating personalized and tough-to-crack passwords.
The method relies on scrambling a word by adding numbers, capital letters, and special characters according to a set of input rules. By memorizing the input rules and a few tokens, you can create a medium to strong password for any site you visit.
So there are two parts to the following method, which Bernie explicitly identifies for generating logon passwords:
A. TOKEN CREATION
- Pick any special character you will always use with your password. Examples: !@#$%^& (*+)=-;:’”~`][}{|><?/.,
- Pick a Secret Code: a 3- or 4-digit number you'll always remember. It could be a special date (such as an anniversary) or, if this is a password you have to change regularly, it could be the date you change the password.
- Pick a very simple Memory Cue that you will remember. This will be the root word for the password. It could be the name of the site (Yahoo, CNN, New York Times) or the application, etc.
B. CREATE THE PASSWORD
- Surround the root password with the special character.
- Insert the Secret Code number after the second character of the root word.
- Capitalize the first character after the Secret Code.
- Optional - If you're changing the password every 90 days, add the creation date to the end of the password. Use the calendar quarter and the year to create a 5-digit number. So Q1 of 2012 would generate 12012.
Here are some examples of these rules in action from Bernie's paper:
- @
- 4556
- Tim
- @Tim@
- @Ti4556m@
- @Ti4556M@
- @Ti4556M@12012
For a Yahoo account:
- @
- 4556
- yahoo
- @yahoo@
- @ya4556hoo@
- @ya4556Hoo@
- @ya4556Hoo@12012
So, for any new site I visit, I can generate a memorable password that has special characters, capital letters, and numbers and (generally) avoids any dictionary words in its components.
What if the site I'm on doesn't let me use special characters or imposes a character limit? I usually drop the special character and simply go as far as I can until I reach the character limit.
Again, the paper has many more examples of different ways to mix and match these rules. He includes different tweaks on the rules to generate both simple to remember and difficult passwords.