How I Generate My Passwords, and Why, Fuck You Apple

What is much more problematic than using a weak password is using the same password in multiple places.

There’s a gigantic issue with using a new password for each site that you go to, though: you have to memorize that many passwords. You could use a scheme where you use the same base password and then append the name of the site to the end, but that’s really not more secure than just using the same password in each site.

You could decide to use one of those password managers that exist out there. Personally, I find myself unable to believe that I could just trust some external entity with all my passwords and have an expectation they’re all alright. Oh wait, I’m not even paranoid.

Here’s how I generate my passwords. This scheme is actually memorable, and actually produces significantly different passwords.

Here’s all you memorize to cover all of your websites you care about your password in: a string, a hierarchy, and a function.

(Also, there are definitely places you don’t care about your password. Some of them send you your password in plaintext. Don’t even bother making a secure password in those cases.)

1. The String

Any string of length that’s at least some moderately large number.


, for example, is an excellent string. It doesn’t matter that you don’t understand any particular patterns in the string, because there’s only 12 characters in it, and you can easily memorize just one string of 12 random characters.

2. The Hierarchy

Memorize a an ordered sequence of elements of a website. For example, your first element might be [“the contents of the first <div> in the body”,”the last piece of text on the page that isn’t black”,…]. Hopefully the website is archived on the Internet Archives, so that if the page changes, you can check how it looked when you created your account.

Whenever you visit a website, the element that you choose to incorporate into your password is the first item on your hierarchy that exists; for instance, in the case above, if the site has no <div>s in the body, use the last piece of text on the page that isn’t black, and if that doesn’t exist either, use the next item.

Make your hierarchy such that if a website has zero of the items in your hierarchy, then this website is necessarily something you care about little enough that you don’t care for the security of your password.

3. The Function

Memorize a function that takes in two strings and outputs a third string. You could make the output alphabet just English keyboard characters (and in practicality this may unfortunately be what you should get), but really if a website handles passwords properly it shouldn’t be a problem if one of the characters in your password is ጓ or 煱. (Why not learn some unicode numbers?) A function as simple as bitwise XOR (with some mechanism of padding for strings of unequal length) probably works for these purposes, but you could go for a more elaborate one if you want to.

4. Generating Your Password for a Website

You’ve memorized a string. You’ve memorized a hierarchy. Find the relevant string in the element your hierarchy selects for the website. You’ve memorized a function. Apply the function to the input consisting of the two arguments being your string and your hierarchy. That’s your password for the website.

5. My password is awful!

Practice it. Muscle memory is a beautiful thing and will eventually come. Although the process of computing your password once might be steeply strenuous, you’ll eventually remember it and not need to recompute it every time you sign in somewhere.

Where this helps is whereas previously you just forgot your different passwords, now when you forget a password, you could just tell the people next to you you need to go use the restroom, find a room, recompute your password, and come back.

Notice that even if someone else has discovered one of your passwords, they’re still utterly clueless as to what your other passwords are.

And what do you do to replace that password once you’ve leaked it? Just make a new password using the next item down on your hierarchy for the website. No need to take the moment to fret about having a password scheme that can only give you one nice password.

(Fun fact: you could View Source on a page and easily avert someone standing next to you figuring out which part of the HTML you’re looking at.)

So in conclusion:

6. My password is awesome!

Just remember not to accidentally name one your stuffed animals your password.

But now the real conclusion:

7. Fuck you, Apple

(Oh hey, I just said “Fuck you, Apple” next to the number 7.)

Apple, like other places that demand that you use a password that satisfies certain constraints, like that it must have a number, incentivize people who are actually using secure password schemes to use a less secure password, because if it weren’t for their scheme it would be way too difficult for them to memorize a password of reasonable entropy. Heck, it’s often harder to memorize the unique Apple password of much lower entropy than those delivered by the scheme, because one memorizes the latter password via memorizing the scheme, not the password individually. It’s quite reasonably expectable that your scheme sometimes fails to output a string where at least one character is of a particular character category.

Some websites claim that they allow their passwords to have symbols, but don’t allow all the symbols, and sometimes don’t even allow some symbols on the keyboard.

All of these situations result in a breakage from a scheme, causing passwords to end up less secure due to the extra effort needed to remember them.

And this doesn’t just apply to people who have a password scheme. People who do not use a password schemes more likely than not just trivially modify their passwords to fit new requirements.

Password restrictions is security theater. Password restrictions means less secure passwords. Tech companies and websites: please stop putting restrictions on characters allowed or necessary in passwords.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s