James Wallis levels with you


The saddest thing I’ve read about the ongoing PS3 security debacle is the number of people who have said openly that they can’t remember what password they used for their Playstation Online account and therefore which of their other passwords they need to change now.

We all have squillions of passwords these days. Or maybe we have one password that we use for everything, in which case we are idiots. Or we have a system for remembering multiple passwords, like the one Martin Lewis is advocating right now. I like Martin Lewis’s system right up to the words ‘Note the password down’. Even if you’re writing them down in code, that’s still insecure and inconvenient.

I have a different system. Every time I need a new password I generate one on the fly using an algorithm in my head. Every password is different. Every password takes less time to generate than it does to type.

Here’s roughly how it works.

  1. You need a personal word or phrase. It should contain upper and lower case characters, and ideally digits and special characters as well. It should not be a dictionary word.
  2. You need a way of quickly deriving a non-intuitive word or phrase from the website. The name of the website backwards would do it, or the first six characters of the site name, but you can think of something better than that.
  3. You need a way of deriving a number or alphanumeric from (2) or a combination of (1) and (2), in your head, on the fly. It doesn’t need to be too complicated but it does need to be complicated enough that someone can’t glance at your password and immediately work out how the number was derived.
  4. You need to decide what order you type these in.

There you have a password generator. It will create nice long secure unique passwords. You will not need to write anything down. If you follow basic security protocols (1. never give your password to anyone or let anyone watch you type it in; 2. see 1.) you should be fine.

There are websites that limit the length of your password or won’t let you use special characters, and you should think carefully about whether you want an account with them, because they are insecure. If you find a bank website that puts an upper limit on the length of your password, then find another bank.

I look forward to being told where the flaw in my system lies.

Categorised as: Uncategorized


  1. Gary Barker says:

    I have what I think is a simple method myself, its called KeePass. Other password generation tools are available.

    It runs quietly on my PC (and my phone). The passwords are long, incomprehensible and I’d hate to have to type them in, but the application does that for me too. Any that I would actually need to say on a phone or type on a software keyboard I have to generate using a system akin to what you describe.

    You’ll also have to work out a way to backup the database, and how secure you need the backup to be. Personally I use 2(3) separate databases, one for passwords I’m less bothered about and have that in a dropbox folder, and one that I have to manage myself but has passwords I really don’t want out in the aether. The 3rd database is my head and my password for the poassword databases, my main bank account passwords and a few others just stay in there :)

    • admin says:

      I’ve looked at various software-based solutions and there seem to be a few good programs out there, Keepass among them, but I tend to work across multiple machines and so I’d need a way to sync it between them–and I’m not sure I trust that.

  2. Yoz says:

    The system I’ve been using for the past few years is basically an automated version of what you describe:
    I also bookmark this mobile version on my phone:
    Both use Javascript on the client side, so my main password never goes over the wire. I don’t have a database of passwords to keep in sync, either.

    The main flaws in the problem come when you need to change passwords. Changing your main password isn’t *too* bad, it’s mainly a matter of remembering the old one so you can try it after the new one. If you want to change a bunch of passwords in one go, then having your browser remember your site passwords for you also helps greatly. (My Firefox profile is locked with a single master password)

    Changing a single site password is much more of a pain. Take the Sony example: your auto-generated password is now known to the attacker. The good news is that it doesn’t expose any of your other site passwords. The bad news is that you now need to come up with a *new* password for your PSN account – so you can’t use your scheme + standard password again.

Leave a Reply