“Gawker advises password changes.” That is the headline on today’s newspaper. Coming on the heels of problems suffered by several of my clients, this event prompts me to consider again the whole issue of how to advise clients about password protection.

In the first place, many clients stubbornly refuse to put a password on their Windows. In addition, they always log on as administrator, even when using a public wi-fi spot. Many have a single password they use for everything that requires one. As the Gawker article points out, this can be disastrous since if one site is compromised, bad guys could get into other places and logon as you.

And I have been guilty of such behavior in the past. There is no way I was going to remember all the passwords I would need if every use had a different one. Even worse, I opted for a short password to avoid extraneous keystrokes. So I am sympathetic to my clients, but still concerned about their safety.

The cure for me was to convert from a password to a passphrase. That is, something that is more than just a single word to something like a short phrase. Including numbers in the passphrase is good. Texters do this automatically. So with maybe a few extra keystrokes, the password is stronger, but still not unique for each application. How to customize for each use?

For me the solution is to append to the passphrase another word based on the site being used. Suppose your passphrase is “Mary8alambs2″ which reminds you of Mary having a little lamb. Then the world is your oyster for picking a suitable combination to append. Suppose you want to log onto Facebook, you might decide the append the first two letters, “Fa,” but that would be rather obvious, so you could shift them alphabetically one space so that “Fa” becomes “Gb.” Your password for Facebook would then be Mary8alambs2Gb, which most sites would rate as strong. All you have to remember is the basic password and the algorithm to generate letters to append to it.
There is no best algorithm for generating the unique passwords, but whatever you use should be simple and obvious to you. It should also be connected only to the site where you are logging on. Otherwise you are back to trying to remember individual passwords rather then re-generating them as needed.

This method also has built into it a method for updating passwords as needed. Either change the first part or the last. Then in the transition period when you might not be sure of which to use, you will likely have only one false entry. If the one method does not work, use the new one.

Do you have a different method of generating unique passwords in a way that does not require keeping a list?