Don't memorize passwords. Memorize an encryption algorithm.

A safer alternative to using a password manager

If you do a google search of recent data breaches you'll likely find the results to be alarming, yet unsurprising. Provided you have a typical online presence, having login information compromised— whether by hacking, an inside job, or accidentally uploaded to the internet— has transitioned from an unfortunate possibility to an inevitability.

That's why it is so critical to have unique, strong passwords for all of your password-protected services. Unfortunately, your data is only ever as secure as the companies who keep your data. But in the event that your login information is compromised, using a different password for every account is an effective form of damage control.

Memorizing 20-character passwords for dozens of accounts isn't a practical solution for most people.

The most commonly recommended solution I've seen on the web is to use a password manager. I admit, they do make it convenient to use strong, unique passwords for all of your online accounts without the burden of having to memorize dozens of long and intricate passwords. Personally, I'm not comfortable trusting all of that sensitive data to any one company.

You could simply write your passwords down. But the astute reader may notice that merely writing your passwords down doesn’t resolve the problem of having a single point of failure. There's still the risk that a physical copy of your passwords could be stolen, which may be especially of concern for you if you plan to use your computer/login information outside of your home. But thankfully, there is a solution:

Don't memorize passwords. Memorize an encryption algorithm.

This way, you can write down encrypted versions of your passwords without worrying that someone who steals your password book will suddenly have access to all your accounts. All you need to remember is how to decrypt the written version of your password.

So what does that look like in practice? Some ideas:

Salt” your passwords.

Start by coming up with a password that is easy for you to remember, like “peach99”. Then for all of your accounts, append to your password a random string of characters (the “salt”), unique to each account. You’ll end up with list of passwords that looks something like:

  • peach99fhh$%hfhe@

  • peach99ghw352&*pj

  • peach99456BD!_97av

  • etc. . .

The salt is the only part you write down. Someone who steals your password book would have to know to prefix each password with “peach99” to make use of it.

Use a substitution cipher.

There are many forms of substitution ciphers you could use, but in essence, you substitute certain characters in your password with other characters before writing them down— in a consistent way that you can remember. You could, for instance, shift each letter in your password over a fixed number of spots in the alphabet1— “peach99” could be written as “shdfk99”, using the following cipher:

ABCDEFGHIJKLMNOPQRSTUVWXYZ” => “DEFGHIJKLMNOPQRSTUVWXYZABC”

The possibilities are endless, but hopefully that gives you some ideas. Your encryption algorithm need only be sophisticated enough that the sort of thief who might steal your backpack won't be able to crack the code before you can change your login information— so, not sophisticated at all!

If any cybersecurity specialists are reading this (or anyone, really), let me know your thoughts in the comments.