Security Simplified: The Base+Suffix Method for Memorable Strong Passwords

February 19th, 2009

keysIt’s the classic problem of having “too many keys”.  You have accounts on many different web sites.  Some are small and relatively insignificant, from a security point of view, like blogs or shopping sites.  Some are large and sensitive, like banking and PayPal accounts.  Since unified login mechanisms like OpenID are not yet pervasive, you must remember the usernames and passwords for every single site.  This is a truly daunting task.

Ideally, you would like to use passwords that are “strong” (i.e. very good, not easily guessable) and different for every site.  However, how can you remember each secure and unique password without resorting to a “cheat sheet”?

What is a “strong” password?

A “strong” password is one that cannot be guessed either by automated means or by someone who knows you and knows all kinds of things about you.    To understand what makes a password “unguessable”, lets review the various ways that a malicious person could attempt to “guess” or “crack” your password. Typically, they will, among other things:

  • Check the list of the most commonly used passwords.  These include things like no password, a space for a password, and the words “password”, “admin”, “passcode”, “secret”, and similar ones.
  • Check combinations of letters that are next to each other on your keyboard, like “qwerty”, “asdfgh”, “34567”, etc.
  • Check if you are using your username, or some part of it, as your password
  • Check common swear words
  • If they know you, check for names, birthdays, anniversaries, phone numbers, maiden names, pets’ names, etc., of yourself or anybody in your immediate family.
  • Perform a dictionary attack by trying every word in a dictionary.  Then  try the same words with varied capitalization and with simple numbers appended or prefixed to them, like “apple1”, and “Apple”.  Finally, try the words with common numbers substituted for similar looking letters.  I.e. “3” for “e”, “1” for “l”, “0” or “o”, etc.   This will result in trying things like “app1e”, “passw0rd”, etc.
  • Perform another dictionary attack using all common first names and last names, possibly with varied capitalization of the first letters.

You may be surprised to know that, depending upon the situation and security of the location where the password trying to be guessed is, that the malicious person may be able to try millions of guesses in a very short amount of time.  So, in many situations, trying these seemingly endless possibilities is really possible.  You may remember the case of Barack Obama’s Twitter account being compromised last month; this was due to a hacker running a program that performed similar password guessing tests on one of the Twitter administrator’s accounts … and discovering her ill-chosen password.

So, a strong password is one that cannot be guessed using an automated program using any of these possibilities and which also cannot be guessed by someone who knows you well and tries passwords based upon information related to you.  This makes it hard to choose a password that you can remember and even harder to choose many different ones for many different web sites.

Why use different passwords for different web sites?

Simply put, if you have different passwords for every web site you have an account, if one of these accounts is compromised or stolen, that information cannot be used to login to any of your other accounts.  I.e. using different passwords limits the possible collateral damage caused by a someone getting your password.

Using separate passwords is actually extremely important, because the possibility of one of your passwords being compromised or at least known by other people, is very very high.  Why?

Many (even most) web sites keep a copy of your password to their site unencrypted and in plain text in their databases.

They do this either to facilitate verifying your password when you login (a poor way to do this, but common), or so that they can give your password if you have lost it (instead of forcing you to reset it), or so that they can use that password for various things within their systems, like performing automated tasks for you.  However, as a result, your password is visible to their system operations staff, and possibly even their support staff.  It is also visible to anyone else with access to their databases, such as a hacker that might break into their systems.

So, you should assume that the people who work for each web site know your username and password to that web site.  If they can guess what other web sites you might be logging into, they could maliciously try that password and similar usernames or email addresses to gain access to accounts as you.

Not all web sites use login processes secured via SSL

If you login to a web site and that login process is not secured via SSL, then your username and password are sent “in the clear” over the Internet to the web site.  This is like writing your username and password on a postcard and sending it in the mail … anyone who can see the message being sent can read your sensitive information.  This is especially dangerous if you are connecting from a wireless hotspot or other location where you do not trust everyone who may be using the local network.

You can tell if you logged in using a secure process once you are logged in, if the URL in the browser starts with “https://” and there may be a little “lock” icon in your browser that indicates a secure connection.

If you login to a web site without SSL security, you should assume that some could get your username and password and login there as you, and that they could try to use that information to login to other sites as you too.

What common mistakes are made in managing passwords to many sites?

Some mistakes are now obvious:

  • Using the same password for many different sites
  • Using a password that is easily guessable

Some mistakes are less obvious:

  • Not changing your passwords for a long time.  The longer the passwords are the same, the more chance of a compromise
  • Writing your passwords down on post-it notes or other pieces of paper.  Anyone who can see that paper (on your desk, in your wallet, in your drawer, etc.) then has your personal password list!
  • Saving the passwords in a non-encrypted file on your computer. Anyone who can access your computer (or steal your laptop) can access that file and get your passwords.  Even if you use a password-protected file, you must be sure that (a) you use a strong password for that file, and (b) that the password-protection in use is actually good; i.e. old versions of Microsoft Office have useless password protection.  If the password is weak or the encryption poor, then a malicious person could easily open the “secure” file.
  • When you do change your password, you change it to a password that you previously used.  Never do that, as someone may know your old passwords.
  • When you do change your password, you change it to a password that is very similar. Don’t do that either, as someone may try all common variations on your previous password to guess the new one.   I.e., changing your password from “Joe2008!” to “Joe2009!” is not a very good change.

Back to basics — what are our goals?

When trying to juggle logins for a plethora of web sites, we need to:

  1. Make sure we have a different password for every site,
  2. Make sure that the passwords for all of the sites are “strong”.
  3. Make sure that we can easily remember all of these passwords.
  4. Avoid writing all of these passwords down in an insecure manner.
  5. Make it easy to remember your passwords after changing them all.

Making strong passwords that are easily remembered

This is, on the surface, perhaps the hardest thing to do.  Typically, when someone gives suggestions on how to make a “strong” password, you will hear things like:

  • Use a combination of letters, numbers, and symbols, like “ksjhd7623!#%”
  • Use both upper and lower case letters.
  • Make the password as long as possible.
  • Do not use words from the dictionary or personal information in the password
  • Use a long sequence of random characters.

All of these tips are valid and play an important role in making good, strong passwords.  However, taken naively, you will end up with very strong passwords that are impossible to remember, like “slkJfH867234i@#$%#%608j”.  You would never guess that one!  However, you will never remember it either.  You’ll have to write it down somewhere or save it in a file and you will have to look it up every time you need it.  Having to look up our passwords all the time will make them too cumbersome, unless the passwords are rarely used.

The two-part system for making many strong, easily-remembered passwords.

This is not a system that we invented.  It has been around awhile and we have no reference as to its origin.  Anyway, here is what you do:

  1. Come up with ONE strong, but short password that is not hard to remember, like “J33pers!”  We’ll call this your “BASE”.
  2. Then, for every web site that you need to have a separate password for, you construct it by taking the BASE and appending a suffix onto it that is specific to the web site in question.    This suffix should be very, very easy to remember.  It does not have to be “strong”, but it is good if it is!  Lets call this the “SUFFIX”.
  3. The new password is “BASE” + “SUFFIX”.

For example, we’ll make a strong BASE by taking a short phrase that we can remember and doctoring it up in a way that we can remember, but which makes it strong:

  • Pick some phrase like “i feel great”.  Multi-word phrases are good starting points for strong passwords, because they are memorable but not easily vulnerable to dictionary attacks.
  • Add symbols – “i feel great!”
  • Add numbers by replacing some letters with numbers phonetically- “i feel gr8!”
  • Use both upper and lower case letters – “I Feel Gr8!”

This BASE, “I Feel Gr8!” is relatively short, but strong.  It uses letters, numbers, and symbols.  It uses upper and lower case letters.  It is not derived from a word in the dictionary or from personal information.   You can use this site at Microsoft to check the strength of you password.

This BASE by itself is a good password, but since we don’t want to use the same password everywhere, we need to generate custom passwords for each of our web site accounts by appending a suffix on to this base.  Note, adding more “stuff” onto a password that is already strong only makes it stronger. When making up suffixes, remember to choose suffixes that

  • Cannot be guessed based on the name of the site your are going to.  I.e. don’t use the suffix “amazon” or “” for your login to!
  • Cannot be guessed using a dictionary attack.

So, lets do some examples to see how it works:

  • For our example login to, we might use the suffix “kindle the fire” (based on a reference to Amazon’s Kindle ebook reader) to get a password “I Feel Gr8!kindle the fire”
  • For our example login to our Bank, we might use the suffix “i need money!” to get “I Feel Gr8!i need money!”
  • For our example login to our Blog, perhaps we use the suffix “no comment!” to get “I Feel Gr8!no comment!”

So you see:

  • It is OK to use spaces in your passwords
  • Using phrases with punctuation creates suffixes that are easy to remember and secure against dictionary attacks.
  • The resulting combined passwords are easy to remember, very strong, and very specific to each site.

Remembering your password suffixes

It is likely that no one will remember all of their suffixes immediately and you will want to protect against forgetting them years later.  You can write down a list of the suffixes, or better yet, make a (encrypted) file in which you keep a list of the suffixes and sites (and usernames) they go with.  Do not include the BASE in this file.  This makes for a cheat sheet that is easy to use and much more secure than your average password list. Without knowing the “BASE”, no one who looks at the cheat sheet actually can use any of the passwords listed.  And, since the BASE itself is a strong password, it will not be easily discovered.

If you want to save your BASE in a place for safe keeping, be sure to put it somewhere distinct from your suffix cheat sheet (like on paper in your safety deposit box or vault).

Changing your passwords

Using the BASE+SUFFIX scheme, when you need to change your passwords (as you should do regularly), all you have to do is change the BASE everywhere.  You can leave all the suffixes the same.  In this way, you get all new strong passwords that are all easy to remember, but only one thing has changed!

How does this BASE+SUFFIX method accomplish our goals?

1. Make sure we have a different password for every site

The use of the SUFFIX ensures that all sites have different passwords.

Using suffixes that are moderately strong and not obvious (to anyone but you) based on the site you are trying to log in to, means that even if someone has the password to one of the sites, which as we mentioned above is very likely, and they know that you are using the BASE+SUFFIX method, it will still not be feasible for them to guess your password to other sites.  And, the better your choice of suffix, the greater the security.

2. Make sure that the passwords for all of the sites are “strong”

As the BASE part is strong, the BASE+SUFFIX is even stronger.  So, all of the passwords are distinct and strong.

3. Make sure that we can easily remember all of these passwords

You have one somewhat complex thing to remember, the BASE, but this is created from a phrase that you know.  The suffixes are all made up of phrases that should be memorable and related to each site — so the combination is easy to remember, especially after you use it a few times.

4. Avoid writing all of these passwords down in an insecure manner.

While you can write down or save the SUFFIX list independently of the BASE, your backup copy of your passwords and sites should be very, very secure.  Maybe you don’t need to write them down at all, if you have a good memory.

5. Make it easy to remember your passwords after changing them all

As you can change all password by just making a new BASE, it will be easy to remember all of the new ones, as you will already know the suffixes.

So, the BASE+SUFFIX method meets all of our goals; however it relies on you to:

  • Choose a good strong BASE
  • Make each suffix not guessable based on the web site in question, i.e. strong in and of itself.

But, with a little thought, this is not very hard.  Actually, it can be kind of fun.

Help making a strong BASE password

Of course, making up your passwords all by yourself is the most secure thing you can do.  However, there are some web sites out there that can get you started:

What a strong password doesn’t protect you from

Just because your passwords are now all super strong and separate for every site, that doesn’t mean that your accounts are all safe!  You must also be aware:

  • If copies of your passwords are stored on your computer or at your home or office, can anyone else ever gain access to them, and thus your accounts?  Think: snoopy people, theft, lock pickers, people looking in your trash, people “fixing” your computer, etc.
  • Is your computer compromised?  If there is a “key logger” installed on your computer either intentionally by someone else, or by the act of a virus, then everything your type is being logged, saved, and viewed by someone.  So, no matter what kind of security you may be using, when you type in that password, it is being saved and sent to someone!  Be sure that your computer is secured, virus free, phishing software free, and that only you have administrative access.  If anyone else has administrative access to your computer, then you never know what software might be running and watching what you do and type.
  • Be sure to use secured connections (SSL) when connecting to your accounts on web sites.  If you do not do this, than anyone eavesdropping on your Internet traffic can see your username and password.  If you are in a pubilc wireless hot spot, use a VPN or SSL for everything, as eavesdropping is extraordinarily prevalent in such locations.
  • If you tell someone your password, assume that they have written it down, told other people, used it in a computer with a key logger, or had it discovered through eavesdropping.  You never know.
  • If you are typing your password in and someone is watching you, they may be able to discern what you typed!

Centalized online storage for copies of your passwords

LuxSci recommends using a secure online repository for storing copies of all of your usernames and passwords.

  • The copies are not stored on your computer or on paper anywhere (except maybe in a vault) and this vastly increases your security.
  • You can access the copies from anywhere, over a secure channel, so you can look up a password if you have forgotten it, no matter where you are located.
  • You can securely store other information along with these passwords for reference, such as:
    • User names needed
    • Web site links
    • Notes
    • File attachments, like contracts, how-to documentation, reference guides, etc.
  • If you work with others and have a shared collection of passwords that are used to access various sites, you can share these online with everyone and even specify who has permission to access which passwords.
  • You should still keep a copy of all of your passwords in a vault somewhere “just in case”.

LuxSci’s Passwords WebAide is a secure online password (and related information) storage system that does all of this, including facilitating sharing between users.  It encrypts all password data using your own PGP certificates (which you can upload or which we can generate for you), so all of the data is encrypted while stored and is only decryptable by you when you login and supply your certificate password to open the secure password entries.