The essence of a good password
To sum up: to keep the level of protection against data theft as high as possible, three basic principles must be observed when dealing with passwords: The password should contain at least 12 characters, be difficult to guess, i.e. should not allow any personal or general conclusions to be drawn (see list of the worst passwords), and be individual for each platform. So how can many different, and at the same time secure, passwords be generated without having to write them down? Here is a step-by-step guide:
1) Choose a strong and impersonal master password
The first step should be to generate a secure master password that has no direct and obvious relationship to the user (such as name, place of residence, date of birth, etc.). For this purpose, the character-string method mentioned at the beginning is suitable. The character-string is derived from a mnemonic, a quotation, a passage from a favourite book, a song text, etc. This makes the master password arbitrary, impersonal and memorable. To make sure that the final password has 12 characters, the master password should be derived from a long sentence.
Instead of abbreviating a sentence, you could also use the full sentence itself as the master password. In this case the sentence should be a short one, so that you can still enter it in a reasonable time on mobile devices. The following example is based on a quirky German sentence meaning roughly "The safest time to use a hair dryer in the bathroom is during a power failure". Taking the initial letters of the words in that sentence gives the master password shown below. For your password, you should choose a sentence that you will never forget, but will be difficult for a hacker to guess. You could perhaps capitalise all the nouns in your sentence to produce a mixture of upper and lower case letters.
BSidGgmdFzb
To increase the strength of the password, you should add at least one special character, e.g. an exclamation mark:
BSidGg!mdFzb
2) Create variations of the master password
The second step is to modify the master password for the individual services and platforms. The concept here is very simple: In the master password, arbitrary but fixed positions are supplemented with different letters and numbers, which vary depending on the platform.
Step 1: For example, we could always add a number after the 2nd position, creating a new 3rd position, the number being derived from the length of the name of the respective service. For LinkedIn this would be an 8, because "LinkedIn" consists of eight characters; for Google and Zühlke it would be a 6. The modifications can be varied depending on the level of difficulty required. For example, the number can additionally be multiplied by any fixed factor, or have any fixed number added to it. Assuming we add the number 3, the following intermediate passwords result:
LinkedIn: BS11idGg!mdFzb
Google: BS9idGg!mdFzb
Zühlke: BS9idGg!mdFzb
Step 2: The character at the x-th position of the intermediate password is replaced by a freely selectable but fixed symbol. For example, "x" for the position is the number of consonants in the name of the platform for which the password is being generated, multiplied by 2. So for LinkedIn, x would be 10 because "LinkedIn" contains five consonants, for Google it would be 6, and for Zühlke it would be 8. The replacing symbol could be an "@", for example. So you would get:
LinkedIn: BS11idGg!@dFzb
Google: BS9id@g!mdFzb
Zühlke: BS9idGg@mdFzb
Here too, there are numerous possibilities for variation, for example the position could be shifted a few characters to the left or right. Other characters or even character sequences are also possible.
Step 3: The number of vowels in the name of the service is added to the last position of the password. The number 1 could be subtracted for greater security. For LinkedIn, the number 3-1=2 would be appended, because the word "LinkedIn" contains three vowels.
LinkedIn: BS11idGg!@dFzb2
Google: BS9id@g!mdFzb2
Zühlke: BS9idGg@mdFzb1
Depending on personal security needs, further steps of this kind can and should be added. It is important that the steps in the derivation process depend solely on the name of the service for which a password is to be generated. The more complex the rules and the more variation they introduce, the more secure the resulting passwords will be. The addition, multiplication or subtraction of numerical values can be omitted if we look not for the number of consonants or vowels, but for other creative characteristics such as the number of "round" letters (o, p, b, g, e) or for letters that come after a certain letter in the alphabet (after the letter "r", for example, come s, t, u, v, ...).
There are numerous possibilities here, which increase the individuality and therefore the security of the system. The derivation rules may be written down and kept in a safe place – but never together with the master password.