Creating a Secure Password Scheme

From Andrew Riley
Revision as of 09:14, 11 November 2018 by Dandrewriley (talk | contribs) (Created page with "'''Creating a simple, secure password scheme is easier than you think, and probably more important.''' In general, people choose really bad, easily hackable passwords. Fil...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Creating a simple, secure password scheme is easier than you think, and probably more important.

In general, people choose really bad, easily hackable passwords.


Because hackers have been able to hack into popular websites (Yahoo, Target, and eBay just to name a few) there are now lists of common passwords available for anyone who wants to see them. Lists of the most common passwords along with the common variations. What does that mean for you and I? It means that simple passwords are nearly as bad as no password at all.

So we need a strong, complex password, right? Instead of using “letmein”, we memorize something complex like, “P~ZUr.x’bZohk” and then we never have to worry about it again. Well, not exactly. Having a strong, complex password is important, but it doesn’t do you any good when your favorite website gets breached. Once a bad guy has your one password, he has access to every website and service where you use that password. So you have to have a different password, a strong and unique one, for every website and service.

You might be thinking, “there’s no way I’m going to remember a different password for every site!” It would be nearly an impossible task to remember “Rdj~O|ou;$)X” and “Blwkgr}’!A” and “Xp&^^\GWa=|^uo1” and a hundred others.

By creating a password scheme, you can have a strong, complex password for each and every website and service. You won’t have to write them down, and it will be simple to create a new password on the fly, and remember that password tomorrow or two years from now.

It’s pretty easy, and I’ll show you how.

Our Objectives:

  1. Passwords must be complex enough to be secure.
  2. Passwords must have upper and lower case letters, number and special characters.
  3. Each website or service must have a unique password.
  4. All passwords must be so easy to remember that they don’t need to be written down.

As we go through the steps to create our scheme, I will test the password at Speedy Password and show how long it would take to crack it. It might be useful to use a paper and pencil as you create your scheme.

Step 1: Choose a Word You Will Remember

  • It must be a word you will remember
  • Try to think of an word that people wouldn’t quickly guess
  • It can be multiple words (stopsign, gooseneck, bigreddog) as long as it’s easy for you to remember

When I was young there were commercials on the television for a horse racing track called “Aksarben”, which is just “Nebraska” spelled backward. It’s gone now, but it was an odd word, and has stuck with me. I’ll use Aksarben for my example.

aksarbenA hacker could crack this in 1 minute.

Step 2: Capitalize the first letter

Many websites and services require at least one capital letter in a password. So let’s just make the first letter upper case.

AksarbenA hacker could crack this in 5 hours. Terrible.

Step 3: Alter the word

Any common word or name is bad, and my word, while not in the dictionary, is all over the internet. So let’s replace a letter with one or two special characters. Special characters are things like: ! @ # $ % ^ & *

Change a letter or two in your word. It doesn’t have to be clever, it just needs to make sense to you and be easy for you to remember. Some examples…

  • i could become !
  • a could become @ or /\
  • q could become ?
  • o could become ()
  • x could become %

I’m going to change the “s” to a dollar sign. That’ll be easy for me to remember.

Ak$arbenA hacker could crack this in 10 days. We can do better.

Step 4: Let’s make every password unique, while also making it exponentially stronger

Here’s where the magic happens. Every website and service has a unique name. So let’s take advantage of that. This is where you can get creative.

For our example, the first place we’re going to use our password scheme is facebook. We have the letters in the word “facebook” to work with, and also the number of characters in the name – “facebook” is 8 characters long. We will use that information for our scheme. Some possibilities are…

*ace8 – the second through fourth letters + the number of characters
*ko88 – the last two letters, reversed + the number of characters two times
*f8k – the first letter + the number of characters + the last letter
*8ok – the number of characters + the last two letters (This is what I’ll do in my scheme)

Feel free to use one of my examples, or make up one of your own. There are countless options here. Whatever scheme you decide on commit it to memory and simply add the results to the end of your password. This gives you a unique password for every site:

*Ak$arben8ok – Facebook
*Ak$arben6on – Amazon
*Ak$arben5oo – Yahoo
Ak$arben8okA hacker could crack your password in 57,337 years. I’d call that secure.

Step 5: Supercharge It!

Punctuate your password! Add an exclamation point, or a question mark, or a period (whatever) to the end. Add two and look what happens!!

Ak$arben8ok!With one extra punctuation mark, a hacker could crack your password in…. 538,9762 YEARS!
Ak$arben8ok!!With two, a hacker could crack your password in… 50 MILLION YEARS!!


It might take you a couple of times using it to commit your scheme to memory, but very quickly it will become second nature and soon you’ll barely have to think about it. Again, I’ve been using a scheme like this for many years.

Now, if a website you use becomes compromised, and your password is on a list – but it’s not going to make any sense to the hackers and that single password won’t give them access to any other account you have on other websites.

My goal here was to show you how to create a system, not to create a system for you. Create as simple or complex a password scheme as your brain can handle. The scheme I use produces some crazy looking passwords and would be hard to explain, but it’s based on the system I’ve described and it makes sense to me. That’s the important thing here: The system you create should be one that makes sense to you so that you will remember it.


What about a situation (like at work) where you have to change your password every month, three months, or whatever?
Just add something easy to remember to the end, such as the month and year or season and year – whatever makes sense for the situation.
Ak$arben8ok!!sep18 (You can change this monthly)
Ak$arben8ok!!fall2018 (Good for a three month cycle)
What do I do when (random website) gets hacked and they force me to change my password?
Easy. Use your password scheme, and an * asterisk to the end – or the number 2 – or a sad face because you’re sad that they got hacked. As with every step we went through above, choose something easy to remember. (I always forget to add my asterisk when I go to those websites and have to type it in a second time with the asterisk, which costs me about three seconds.)
Should I Use A Password Managers?
That's up to you. But you’ve created a password scheme, so you really don't need it.
I like the way you think! Tell me, Andrew, is there more I can do?
Oh yeah there is! You can literally have a unique password and a unique email address for each site or service. It isn’t free, and it takes time for the initial set up, but it’s basically the most awesome thing ever. Here’s a quick oversimplification of how that’s done. Friends… contact me if you want to do this and need help.
*Go to and register your own domain name. ($15/year)
*Go to and sign up for an account. Get the Professional account. ($8/month)
*In ProtonMail, add an email address using the domain you registered in step 1. Make it a catch-all.
*Follow the instructions that ProtonMail provides for changing your settings in GoDaddy to make email work with ProtonMail.
*Wait up to 48 hours (it usually takes five minutes) for the changes to take effect.
*Once that’s done, you can use a unique email address for each thing [] and it will come to your inbox.
*BONUS: You can easily identify (and filter or block) email by the address it’s sent to, which is great for stopping spam!
How can I get in touch with you to tell you how you’re wrong, that you’re stupid, or just how much I hate you?
Everybody knows that Twitter is the best place to strike me down with all your hatred and complete your journey to the dark side. @dandrewriley

More Resources

Perfect Passwords
You wanna get super nerdsy-like? This is the place for your maximum entropy, cryptographically-strong nerd-fu passwords. Good luck remembering them.
Speedy Password
See how long it will take to a hacker to crack your passwords.

Obligatory Disclaimer: The author has made every effort to ensure the accuracy of the information within this article was correct at time of publication. The author does not assume and hereby disclaims any liability to any party for any loss, damage, or disruption caused by errors or omissions, whether such errors or omissions result from accident, negligence, or any other cause.