Yet another password creation rule

The paper dates from 2005 and it could be argued that the world it was created for has already passed. Google and now Dropbox are offering two-factor authentication to provide extra security for sites that can hold the keys to your online identity. However, if you don't have a password-generation program, Bernie's paper contains several different algorithms for generating personalized and tough-to-crack passwords.

The method relies on scrambling a word by adding numbers, capital letters, and special characters according to a set of input rules. By memorizing the input rules and a few tokens, you can create a medium to strong password for any site you visit.

So there are two parts to the following method, which Bernie explicitly identifies for generating logon passwords:

A. TOKEN CREATION

  1. Pick any special character you will always use with your password. Examples: !@#$%^& (*+)=-;:’”~`][}{|><?/.,
  2. Pick a Secret Code: a 3- or 4-digit number you'll always remember. It could be a special date (such as an anniversary) or, if this is a password you have to change regularly, it could be the date you change the password.
  3. Pick a very simple Memory Cue that you will remember. This will be the root word for the password. It could be the name of the site (Yahoo, CNN, New York Times) or the application, etc.

B. CREATE THE PASSWORD

  1. Surround the root password with the special character.
  2. Insert the Secret Code number after the second character of the root word.
  3. Capitalize the first character after the Secret Code.
  4. Optional - If you're changing the password every 90 days, add the creation date to the end of the password. Use the calendar quarter and the year to create a 5-digit number. So Q1 of 2012 would generate 12012.

Here are some examples of these rules in action from Bernie's paper:

  • @
  • 4556
  • Tim
  • @Tim@
  • @Ti4556m@
  • @Ti4556M@
  • @Ti4556M@12012

For a Yahoo account:

  • @
  • 4556
  • yahoo
  • @yahoo@
  • @ya4556hoo@
  • @ya4556Hoo@
  • @ya4556Hoo@12012

So, for any new site I visit, I can generate a memorable password that has special characters, capital letters, and numbers and (generally) avoids any dictionary words in its components.

What if the site I'm on doesn't let me use special characters or imposes a character limit? I usually drop the special character and simply go as far as I can until I reach the character limit.

Again, the paper has many more examples of different ways to mix and match these rules. He includes different tweaks on the rules to generate both simple to remember and difficult passwords.