Consider a password. The most basic form of user authentication. They are fairly effective at their job, but unfortunately, the human mind is fallable and often forgets passwords. It's not the fault of the password this happens, but this means that they are the victim.
A "good" password is one that is memorable, hard to guess, and unique. That way an attacker is unable to get into your account, and just in case they DO get access, they won't be able to use that password elsewhere. But ever the classic is someone writing down their password on a sticky note and using that same password for every site they go to. This is problematic because it degrades the quality of the password. You can hardly blame such a person though, since memorizing 100 different passwords is a pain, and this is so much easier!
I propose a different method of thinking about passwords that negates this type of behavior while maintaining all of the qualities of a "good" password: password rules.
Instead of keeping a single password or many passwords, a person shall instead keep a basic set of rules for formulating a password which they use everywhere and tell to nobody. As an example, I would like to introduce Bob. Say hi to Bob!
Bob is about to make his first ever internet account! He's making it at a little site called "opossum.fans". However, Bob knows about the problems surrounding passwords and is worried he might make a bad one...
Luckily, we are going to help him make a set of password rules that will keep his passwords safe without needing to write them anywhere! (Not even in a password manager!)
The first step is to create a base password that will serve as the string that will be guaranteed to satisfy most logins. We know that many sites have strict requirements on what a password must contain. Frankly, all of them are misguided since it's only password length that matters, but it's something we have to contend with anyway.
Most sites have the following requirements or less:
- Your password must contain a capital letter.
- Your password must contain a number.
- Your password must contain a special character.
- Your password must be at least 12 characters long.
While this isn't really a rule per sey, it is important to our password rules, so let's call it Rule 0. As stated before, it should be something memorable. Let's go ahead and see what Bob has cooked up for his base password!
MySuperDuperSecretPassword!!$321
Hey! Not half bad! And it checks all the boxes we want!
So what next? Now we need to make this password unique for every website we visit using a number of different rules. It's important to note that these rules should never be shared with anyone ever, just like a regular password, but Bob is okay with showing us his as an example since he won't be existing after you click off this page.
Due to the creative nature of these password rules, there's no definite "best" number of rules to use. But at the very least, the rules should not share input domains! What do I mean by this? Well, you can think of these rules like functions.
We put the URL of the site we are on in one side, and out the other comes our password for this site. So Rule 0 may be thought of as "always returning" the base password no matter what URL you input. But still, what do I mean by "input domains"? Well, there are many ways to describe a URL. We can describe it by it's top level domain (such as .com or .org), we can describe it by the number of characters it has, and so on and so forth. Let's go ahead and make Rule 1 and 2 and see what I mean.
Rule 0: The base password is MySuperDuperSecretPassword!!$321.
Rule 1: If the domain has an even number of characters, change "My" to "Your". Otherwise, add "Wowza!" to the end of the password.
Rule 2: If the top level domain is .com, change the 'S' in "Super" to a 'C'. If the top level domain is .org, change the "321" to "123". Otherwise, change "Duper" to "Booper".
In this case, Rule 1 makes changes according to the evenness of the password. Then, Rule 2 makes changes according to the top level domain. Therefore, neither Rule 1 nor Rule 2 are stepping on each other's toes. They are independent of each other. But let's add a third rule that demonstrates a rule that is NOT independent.
Rule 0: The base password is MySuperDuperSecretPassword!!$321.
Rule 1: If the domain has an even number of characters, change "My" to "Your". Otherwise, add "Wowza!" to the end of the password.
Rule 2: If the top level domain is .com, change the 'S' in "Super" to a 'C'. If the top level domain is .org, change the "321" to "123". Otherwise, change "Duper" to "Booper".
Rule 3: If the length of the domain is divisible by 3, add "CuteKitten". Otherwise, add "CutePuppy".
This is not good! Rule 1 and Rule 3 now are linked together! They both operate on the length of the domain name, so they will have repititious results together over many sites. This makes Bob very sad that these password rules aren't at their best, so let's fix Rule 3.
Rule 0: The base password is MySuperDuperSecretPassword!!$321.
Rule 1: If the domain has an even number of characters, change "My" to "Your". Otherwise, add "Wowza!" to the end of the password.
Rule 2: If the top level domain is .com, change the 'S' in "Super" to a 'C'. If the top level domain is .org, change the "321" to "123". Otherwise, change "Duper" to "Booper".
Rule 3: If the first letter of the domain is a letter A-M, add "CuteKitten". Otherwise, add "CutePuppy".
That's much better! Now our password rules for Bob are completely independent of each other. As you can see, this will create very unique passwords for many sites, but these are not quite good enough yet I think. After all, opossum.fans and opera.fans will both end up with the same password. So, let's add two more rules just to reduce the number of password collisions.
Rule 0: The base password is MySuperDuperSecretPassword!!$321.
Rule 1: If the domain has an even number of characters, change "My" to "Your". Otherwise, add "Wowza!" to the end of the password.
Rule 2: If the top level domain is .com, change the 'S' in "Super" to a 'C'. If the top level domain is .org, change the "321" to "123". Otherwise, change "Duper" to "Booper".
Rule 3: If the first letter of the domain is a letter A-M, add "CuteKitten". Otherwise, add "CutePuppy".
Rule 4: If the last letter of the domain is a letter A-M, add "Spiderman". Otherwise, add "Superman".
Rule 5: Append the first letter of the domain to the front of the password as a capital letter.
Note that this one does not collide with Rule 3's input domain since it's operating on a different letter position in most cases. (x.com might have some trouble, but cases like these are uncommon.) I think these rules should be enough to make a unique password on all of the sites that Bob will visit. And they are memorable since they are actual english sentences and Bob will be recalling them on every site he visits with a login. Not to mention all these variations will be hard to guess! Look how happy he is about this information!
Finally, let's see what Bob's password would be on opossum.fans:
Apply Rule 0
Rule 0: The base password is MySuperDuperSecretPassword!!$321.
MySuperDuperSecretPassword!!$321
Apply Rule 1. "opossum" is odd, so we add "Wowza!"
Rule 1: If the domain has an even number of characters, change "My" to "Your". Otherwise, add "Wowza!" to the end of the password.
MySuperDuperSecretPassword!!$321Wowza!
Apply Rule 2. The top level domain is .fans, so we'll change "Duper" to "Booper"
Rule 2: If the top level domain is .com, change the 'S' in "Super" to a 'C'. If the top level domain is .org, change the "321" to "123". Otherwise, change "Duper" to "Booper".
MySuperBooperSecretPassword!!$321Wowza!
Apply Rule 3. 'O' is after 'M', so we'll add "CutePuppy"
Rule 3: If the first letter of the domain is a letter A-M, add "CuteKitten". Otherwise, add "CutePuppy".
MySuperBooperSecretPassword!!$321Wowza!CutePuppy
Apply Rule 4. 'M' is right on target, so we'll add "Spiderman"
Rule 4: If the last letter of the domain is a letter A-M, add "Spiderman". Otherwise, add "Superman".
MySuperBooperSecretPassword!!$321Wowza!CutePuppySpiderman
Apply Rule 5. Simply add 'O' to the front.
Rule 5: Append the first letter of the domain to the front of the password as a capital letter.
OMySuperBooperSecretPassword!!$321Wowza!CutePuppySpiderman
Quite the hefty password! Quite secure! Now this is only an example set of password rules; for yourself, you can make much simpler rules than Bob has. Do whatever you can remember the best. More than likely, you shouldn't use any of these here. Rules like Rule 5 that directly lift out of the domain are good for simplicity and memorability, but should not comprise the entire rule set.
Using this technique, Bob is feeling very secure in his passwords, and I think you might too!