You’ve probably heard this a hundred times in recent months: Create strong and complex passwords! Also! You better never reuse them! Make sure they are all unique! This is probably the most common rhetoric in digital security today. What never gets addressed or referenced is that remembering strong and complex passwords in this fast-paced digital world we live in, is not pragmatic. Quite frankly, it’s a pain in the ass. As a software engineering manager with hundreds of accounts both professionally and personally, I’ll try to share with you some useful tips that have made those two big online security rules pretty painless to manage. To have an analogy here, let’s imagine each and every password you have is a delicious cake. A cake that nobody can ever know what the ingredients are. There are only four ingredients you have to remember. Let’s start with the biggest one first.

Step 1​: The Cake Batter

Capitalize Passphrase – First Letter of Each Word

Picking a short sentence or phrase is like the cake batter, it’s the biggest ingredient. Pick anything that is super easy for you to remember, something deep in long-term memory. A phrase around three to six words long for me seemed to be the sweet spot between security and still being easy. Maybe it was your favorite book growing up, a funny phrase you always say, a motto of a sports team. Here are some examples that come to mind: “London Bridge is Falling Down“, “Live Love Laugh“, “Keep Calm Carry On“, “United We Stand“, any of these would work. Just avoid the obvious like “password“ or having personal information in there. Again, it should be super vague but memorable to you. Once you have it, take out any spaces in your passphrase since spaces don’t play nicely with many website forms and then make a rule for this ingredient: How will I capitalize letters in my passwords? Should it be the first two letters in each word? The last letter of each word? Just pick something that will be easy to remember and avoid using ALL CAPITALS or all lowercase. By mixing the case, it makes hacking it much harder. For our example, we’re going to pick an easy one.

Our example: “UnitedWeStand“

Step 2: The Icing

Second Rule: Obfuscate Characters – Replace any letter d with 4 and any letter i with !

Now let’s break out the security icing for this cake. Pick a couple letters in your passphrase which could easily be replaced with either special characters or numbers. The important thing here is that it needs to be easy to remember. For a list of special characters that are almost universally accepted, view them here. A common pattern I’ve seen used is to pick special characters or numbers that look like the actual letter. IE: @ would replace any of the letter a’s within your passphrase. It doesn’t have to be full on leet speak but the more replacement of letters, the better since it obfuscates your original phrase. For our example, let’s pick a couple easy replacements. Any d’s will be replaced with the number 4 and any i’s will be replaced with ! marks. See it below:

Our Example: “Un!te4WeStan4“

Step 3 – Let’s Add More Layers!

Priority of Safety – Add High, Medium, or Low to end of any passphrase

Some cakes (passwords) should have more layers (security level) than others. For our example password, let’s make a rule to figure out how many layers it may need. Think of the layers in the cake as “security levels“ for your password. The goal here is ensure not all your passwords are exactly the same without having to remember specific passwords. Your email account, amazon, or bank account are extremely important. That will not change so long as you remember what the term we set here is. I know this sounds pretty abstract so I’ll offer some examples here. Terms you could use for this could be:

• Defcon1, Defcon2, Defcon3

• Low, Medium, High

• $,$$,$$$

For our example password, let’s go with: high, medium, or low.” “High“ are the most important websites you log into. They contain personal information like your bank account or social security number, we will simply add the word “high“ to the end of our current example password. Here are some other examples based on their “level“. Below shows what the password would be at this point for different websites:

Our Example: “Un!te4WeStan4H!gh“ (For your banking, email, or social media websites)

Our Example: “Un!te4WeStan4Me4!um“ (For an Online Forum Website you frequent)

Our Example: “Un!te4WeStan4Low“ (For your Backstreet Boys Fan Club Newsletter Website)

The biggest benefit of step 3 is not that it increases the time to crack your Un!te4WeStan4 password by 90 trillion more years (source: How Secure Is My Password? | Password Strength Checker ), it’s that not all of your passwords are the same. Not by much though, at this point, if a hacker cracked your password at the same “security level“, anything on that security level would be at risk since it’d be using the same password. If we could somehow figure out an easy way to make all passwords different without having to remember them, now we’d be cooking with crisco! Let’s look at step 4.

Step 4 – Locally-sourced cherry on top

Example Something Locally from System – Identify a common pattern that can be used for each website or system

The cherry on the top of your “password cake” should be something “local” to the website or login page that you are on. You want to pick something on the page that will NOT change. Any text in the logo of the company, the domain name is a great choice, or better yet, the first 5 characters of website’s domain url. By picking something like this that rarely changes, it means you don’t have to remember it! This is the real magic of this password strategy. Let’s use my own website as an example: Home – Andy Barrows Portfolio and Blog Again, we are going to make a “rule“ rather than trying to remember a value. Today, for this example, let’s finish our password recipe by deciding every password moving forward, we’re going to pick the first 2 and last 2 characters of the main domain. In Home – Andy Barrows Portfolio and Blog case, it’s: anws. Below are the finished passwords of our previous examples.

Example Password: Un!te4WeStan4H!ghamss (For your americanexpress.com banking website)

Example Password: “Un!te4WeStan4Me4!umanws“ (For Home – Andy Barrows Portfolio and Blog an Online Forum Website you frequent and love!)

Example: Password: “Un!te4WeStan4Lowbays“ (For your backstreetboys.com Backstreet Boys Fan Club Newsletter Website)

Since this will differentiate each and every password that you have, you won’t have to worry about the risks of using the same password for multiple systems. You also won’t have to remember random differences in your passwords either, thanks to spending a couple minutes to create your very own “password recipe”

There are several other ways to avoid having to “remember“ passwords altogether but this “password recipe system” has worked for me very well and is a strong baseline to fallback if I absolutely have to make a password on the fly. The ingredients (steps) to make a “password recipe“ do not require Chef Ramsey level of quality. Feel free to reverse the order, do step 3 first, it doesn’t matter. The key to this is in setting rules for yourself across any and all websites and systems. Make it work for you and stay safe!

TLDR;

To help remember these four steps, here is a cheesy acronym that can be used below (COPE):

1. C apitalized Passphrase

2. O bfuscate Characters

3. P riority of Security

4. E xample Something Locally from System