

Show HN: My password - mherrmann

Thought I&#x27;d share this because I find it useful: I don&#x27;t want to use the same password on all websites but I can&#x27;t remember a different password for each new service I register. I therefore use an algorithm in my head to construct the password. Say I want to create an account for yahoo.com. I always use the same user name. For the password, I apply my &quot;algorithm&quot; to the service URL. Eg. my algorithm could be &quot;reverse the first five letters of the URL, make the now last char upper case and append &#x27;1337!&#x27;&quot;. So in the Yahoo example, my password would be &#x27;oohaY1337!&#x27;. For gmail.com, it would be &#x27;liamG1337!&#x27;, etc. This way, I get unique passwords for each site, that are at the same time easy to remember.
[It goes without saying that I am using a different algoritm than the above.]
======
unfunco
To a certain extent or limit, it's not up to the user to provide a secure
password, it's up to the developers to ensure passwords are stored securely.
Reversing the name of the service and prefixing it to the password doesn't
provide much additional security, nor does appending a number, especially if
the host has not encrypted it appropriately.

You would be much more suited to using a password manager that just generates
secure passwords for each service (something like lastpass) – instead of
relying on some obscure pattern in your head, because patterns instead of true
randomness is sometimes the cause of lapsed security.

------
jlgaddis
In other words, if I can get ahold of _ONE_ of your passwords I have a pretty
good chance of compromising _ALL_ of your passwords?

[https://lastpass.com/](https://lastpass.com/)

~~~
mherrmann
Yes, but it's still better than using the same password on all sites.

~~~
aw3c2
Is it though? With this technique you would just need to grep a password dump
for permutations of the service name. For the ones you find there is a good
chance that the scheme is used on other sites. So now you can try the big
sites with a high probability that the login works.

With password re-use you would need to guess if they re-use it. With this you
know.

