Say your password for website badwebsite.com is the same as the password for goodwebsite.com. Now if the website badwebsite.com gets compromised (or the owner is malign to start with), they’ll know your password. Chances are that your username is the same (email address) for both websites so the badwebsite.com people can can easily log in to your goodwebsite.com account and impersonate you.
Yeah, there are quite a few reliable Password Managers that serve as a strong room for your complex passwords but that they require you to install specific software on the computer. What do you do when you want to check your web email on a different computer where you do not have your security tools installed and you do not remember your secure, random, email password?
In addition, I doubt you can memorize all your passwords for each and every website, if they are secure from brute-forcing and unique, that is.
Write your passwords down on a paper
What I am trying to solve is to give users a simple way of generating strong passwords unique to every website they visit using just a piece of paper, credit card-sized, that you can carry in your wallet.What you need is just a piece that has a unique (per card) combination of secret letters to help you create a unique password for each website. You may use the RAND() function in an Excel spreadsheet to generate unique password cards.
To create a password, take each letter of the website you want to create a password for and then take the corresponding code from the table. For example, if you want to create a password for www.amazon.com, it would be:
1st letter is a –> a (Column 2, Row 1)
2nd letter is m –> jv (Column 7, Row 2)
3rd letter is a -> AN6
4th letter is z -> xs7
5th letter is o –> enb
So the password for your Amazon website becomes ajvAN6xs7enb.
You can optionally (make sure you do this with all your passwords) intertwine the generated password with a memorized password – it could the city name where you were born, your childhood hero, name of your favorite author or anything memorable.
For instance, if you were born in Philadelphia, the password for Amazon.com would be ajvAN6xs7enb intertwined with Philadelphia: PahjviAN6lxs7aenbdelphia. This would ensure that your identity consists of something you know (Philadelphia) and something you have (the paper password card).
Even if a malicious administrator of website badwebsite.com retrieves your password for that website, they cannot impersonate you on say PayPal or Amazon because you aren’t reusing passwords anymore.
It is a bit cumbersome to use if you had to use it to type in passwords each time, but when used in conjunction with your everyday “remember password” feature found in every browser, you get extra security at the cost of just tiny real state in your wallet.
Security involves trade-offs, in this case is between usability, portability and robustness against collusion or more sophisticated attacks. Arguably though, for a vast majority of people, this is more realistic than carrying an electronic password generator.