Recently I wrote "bad" password advice that specifically concentrates on using 10-character passwords and utilizing a password manager to manage them.
This tutorial is even simpler. It requires no password manager and all you have to remember is one word and one number, passwords are only 8 characters long and at the same time stay unique per each web site you use that requires user credentials.
Step 1. Choose a four-letter word or four-character phrase
Use a four-letter word like care, look, tree, bull, pine, rest, blob, east, bike – OR – use a four-character phrase that’s easy to type with one hand such as qwea, wers, ertd, rtyf, tyug and so on.
Step 2. Choose a single-digit number
You have the choices of 0 through 9. Pick one.
Step 3. Use the first three characters of the web site’s domain (URL) the password belongs to
This is best shown by example:
Yahoo Mail: yah
Step 4. Choose the pattern of the password
The patterns you have to choose from are any that DO NOT start with the digit, because there are several web sites that do not permit that. That being the case, you have four patterns to choose from:
Let’s say the four-letter word you chose was tree, the digit 8, and the pattern you chose was Word+Digit+URL. Here’s how the password would look:
Yahoo Mail: tree8yah
Benefits of generating passwords with the Word + Digit + URL method
Easy to remember for you, difficult for others to guess
You’ve been told over and over again that you should always pick passwords you can remember easily but others could not guess – but were never told how to do this. W+D+U passwords are exactly the way to do it.
No need for a password manager
Many people do not want to be bothered with a password manager because they consider it too much of a hassle. For those that hop between OSes this is especially true because many password managers only work on one OS and nothing else.
Has "good enough" security for most people
You’ve also been told over and over again never to use the same password for multiple web sites. The 3 characters from the URL keeps passwords unique and satisfies this requirement.
Drawbacks of the W+D+U method
Some sites will have the same password
Example: Meebo and Meetup. Both start with mee, so the password would be the same for both sites. You can get around this by counting the number of characters in the domain name and adding an extra digit. Meebo is 5 characters, Meetup is 6. If the password is tree8mee, Meebo’s would be tree8mee5 and Meetup tree8mee6. If both sites have the same amount of characters in the domain name however, you’re out of luck.
Same-service accounts will have the same password
This is the biggest drawback of the W+D+U method of password generation, and the only way around it is to add an extra digit based on priority.
Example: You have two Hotmail accounts. Both accounts have tree8hot as the password. Whatever account you use the most should be changed to tree8hot1, the second tree8hot2, and so on.
If someone guesses your 5-character passphrase and recognizes the pattern, the password is useless
The likelihood of this occurring is slim, but it’s a possibility. If your 5-character passphrase is tree8 and someone realizes that you use that passphrase plus the first three characters of a domain name for all your passwords, you’re basically screwed – but only if you use the same username everywhere.
W+D+U is weak, but better than 12345678
I’m not saying using W+D+U for passwords is strong or secure, but "good enough" as said above. These passwords are easy to remember, difficult for others to guess, you don’t need a password manager and the best part is that they work everywhere.