Generate a unique password per website or per domain name

Recently more and more cases have become public where login names (most of the time email addresses) and passwords have been stolen from big online services.

Only in the months of June and early July 2012 big web sites such as Linkedin, Last.fm, eHarmony, Yahoo, Nvdia and others have reported a security breach where user's login credentials had been stolen. These are only some of the known recent leaks, and the unreported number of cases is probably much higher.

Usually the stolen passwords are up for sale on certain web sites or forums and may be used by all sorts of shady characters. The worrying thing is that the stolen data sets contain the login name (most of the time an e-mail address) and the password in clear text. This means that the buyer of the data sets can not only login on the leaked web site but on every other web site where the same username and password pair was used. All the attacker has to do is to go through the list of login credentials and try each of them on the web site of his choice. This does indeed happen, for example with the free-mail provider GMX, again in July 2012.

It is therefore sensible to use a strong password which is unique for each web site. But how is it possible to memorise so many different passwords? The answer is simple: you memorise only one strong password and use it to come up with a different password for each website according to a pre-defined rule. I'll show how this technique works in the next paragraph.

How to memorise a different password for each web site

First, you need to find a strong password, that you can remember. This should contain lowercase and uppercase characters, some numbers and some special characters. Let's call this the "root" of your password. For the sake of argument let's say you choose "abc+123-XYZ" as the root password. This particular root is not a very strong one, but as an example for this page it will do.

Next, come up with a fixed rule how to combine some characters of the web site's domain name with your root to generate the final password. Again for the example, we chose the rule to take the first two letters from the domain name (the web site's name) and the first two letters from the top-level domain name (the .com, .net, .org part).

Then you mix those letters into your root password, for example using the first two letters of the domain name as start, then append the root password, followed by the first two letters of the top-level domain name.

Examples

Assuming that:

• the root password is: abc+123-XYZ
• the fixed rule is: take the first 2 letters from the domain name, then append the root password and finally append the last two letters from the top-level domain

then:

• the password for google.com would be goabc+123-XYZco
• the password for yahoo.in would be yaabc+123-XYZin
• the password for example.net would be exabc+123-XYZne

Some tips and possible solutions to common problems

If a site has different top level domains, such as gmx.de, gmx.net, then it is necessary to choose one preferred domain name and to use always that one.

If the website has many country codes, like amazon.com, amazon.co.uk, then you may apply the previous rule and to choose one domain name as the preferred one. An alternative approach (and many times not in conflict with the previous rule) is to consider the last two parts of the domain name as the top-level domain. For the domain amazon.co.uk you would consider .co.uk as the top-level domain. For cam.ac.uk, the string ac.uk would be considered as the top-level domain.

You can also include some letters from your login name in the rule to generate the password. In this way you can have multiple accounts on the same web site with different passwords each.

Don't make the rule too complicated to remember. It is better to use a simple but effective one.

If one website has been hacked and your password stolen, you have to change the password on that compromised site. For this you have to change the root password and/or the rules to generate the new password. This means you have to change your password in all sites you are registered with. But at least this method gives you the time to do so before someone else takes over some of your other accounts.

Some websites have very strict rules which characters may appear in a password, and which may not and how long or how short the password can or may be. These counterproductive rules restrict people from using secure passwords. I hope those control freaks who insist on stipulating how a password has to look like find a better use of their time and energy, for example ironing their underwear or sorting the bills in their wallet by ascending serial number or organising their bookshelf by word count.

Final disclaimer

This method does not protect from targeted attacks on your login. But it gives an additional level of protection against automated attacks from a database of stolen passwords, the majority of attacks today.