I’m done with remembering passwords

How Twitter’s “not-a-leak” made me realize that remembering passwords no longer works.

Twitter recently reported a glitch that caused passwords to be accidentally stored in an internal log without a mask — in plain text. The company said that there were no signs of hacking, the storage error had been fixed, and passwords did not end up in the wrong hands. There probably wasn’t a leak, they said, but they advised changing your password in any case. And the new password, as we all know, should be strong and unique.

For me and many others, this was painful. I store passwords in my head and nowhere else. To make them easy to remember yet strong, I use my own technique to generate them. I start with one keyword, add a few digits, change the letter case in certain parts, and sprinkle in some special characters and a few more symbols related to the service I’m using. That way the password is unique, quite long and complex, yet memorable.

The technique has long served me well — no matter how many services I use, I can still recall the passwords even for ones I seldom use because I know my password-generating technique. But over time my approach has run into a problem: Services leak users’ passwords every so often, thereby forcing people to change them.

Unfortunately, my technique provides only one password for each service. To create another means tweaking the technique, which can make the new password much harder to recall. Either a new keyword is needed or a different set of digits, or I could use some other letters related to the service (for example, if before it was the first two characters of the company’s name and the last two characters of the service name, now I might use three characters instead).

Changing the technique is a major problem for the old gray cells, because some passwords are generated with the old method, and others with the new one. And if like me you’ve been using this approach for more than a few years, the technique has probably gone through a fair few iterations.

It’s happening more and more that when signing into a service, I suffer a mental block. My muddled thought process is something like: “OK, what password do I use for this service? This one, I think. No, wait, there was a breach and I changed the password. It probably uses the secondary keyword now. Ah, no, the breach was ages ago, I wasn’t using this keyword yet. So what did I tinker with? Maybe the digits…?” You get the picture.

It’s not that I have a bad memory, but after so many breaches, sometimes I can’t remember a password. When that happens I have to reset it, which further complicates my already complex password world. The keywords and sets of digits go on multiplying — and every time, I have to recall what combination of parameters I used for each service. The algorithmic certainty of having one password per service has been shattered.

As the accounts stack up (new banks, car-sharing services, forums, etc.), my set of passwords becomes messier and messier. So for me, Twitter’s recent statement was the last straw.

It seems the time has come to entrust the storage of this hodgepodge to a password manager. When passwords have to be changed frequently, the mnemonic system breaks down — the rules become too numerous.

But for a password manager it’s child’s play. All you need to do is go into the service settings and click the “Change password” button, and Kaspersky Password Manager will automatically insert your current password and offer to generate a new one.

The password manager automatically saves the new password to its database. There’s no need to remember it, either. The only thing you must commit to memory is the single master key to Kaspersky Password Manager, something that is eminently doable.

For a long time, I balked at the prospect of using a password manager — my own brainpan (and the techniques that I came up with) seemed a far more reliable option. But the times are changing, and data leaks continue to rise in number and scale. What worked yesterday is clumsy and obsolescent in this brave new world.

I guess it’s time to succumb to the inevitable and switch to a password manager.