Ideally, this should not be an issue for you as you are using a different password on every site you use. However, in a recent survey of UK adults performed by Ofcom, it was revealed more than half of those surveyed used the same password on websites.
So, here’s a really simple way to use a different password for every website you use. It doesn’t require an app on your phone, it doesn’t require you to put all your passwords in the cloud and it takes less than 5 minutes to start using.
Simply, you use the website address (URL) to generate the password using a simple set of rules. I’ll list a couple of rules below, but you are free to come up with any rules you want.
To help with the explanation we’ll use Apple Computer (www.apple.com) as an example.
- Use the last letter of the website URL. (e.g. apple.com would be ‘e’)
- Use the last letter of the URL suffix / the TLD (e.g. apple.com would be ‘m’, bbc.co.uk would be ‘k’)
- Use the length of the domain name (e.g. apple.com would be 5)
- Use the first letter of the website URL (e.g. apple.com would be ‘a’)
- Use the second letter of the website URL (e.g. apple.com would be ‘p’).
- Use the entire TLD (e.g. apple.com would be ‘com’)
- Use the password version, starting at 1 and incrementing everytime the site has a security breach. So in the case of LinkedIn, it would be 3 as it’s had two security breaches now.
- 4 to 6 digits of random characters using upper case and characters and perhaps also the year. e.g AB14
So, let’s say for our scheme we used rules 1, 2, 3, 4 and 6. So, for apple.com your password would be:
and for dropbox.com it would be:
Simples. Every site has a different password. If one site leaks your password you are fine, as that password cannot be used on another site. Remember to write these rules down somewhere secure – NOT ONLINE!
It sounds painful, but once you get into the habit of it, it’s surprisingly easy to instantly know your regularly used passwords and quickly regenerate your less often used ones.
So additional important bits:
- Don’t use the rules I’ve laid out above in their exact form and order as otherwise everyone will have the same passwords! Pick and choose rules and use them in any order you want – but make sure the first rule is a lowercase letter as many sites don’t like passwords starting with a number, uppercase or special characters.
- Punctuation. Unfortunately there are still a lot of sites out there that don’t allow punctuation in your password which breaks this scheme, so potentially you might not want to use punctuation. The alternative is to not use those sites – which might be a good idea.
- Potentially use a lowercase letter as the first character of the password. Unfortunately some sites don’t allow passwords to start with uppercase, numbers or punctuation. Again, it’s questionable whether you should use such sites.
- Potentially, keep the password length below 12 characters. Yes, this sounds like madness given all the advice so far, but again, many sites for some reason have an upper limit on the length of passwords (which is in itself worrying as when you hash passwords they become a fixed length, so really you don’t care about the length of passwords unless you’re storing the actual passwords – but you’re not, right? Again, perhaps best not to use these sites.
Lastly, I’m not a security expert – others may have better advice. But this is the system I’ve been using for years and so far I’ve not met anyone who has a better solution.