We are supposed to change our passwords often, but not to write them down; to make them complicated and long, but never repeat them on different sites; and to use all sorts of characters, not only the letters of the alphabet. And then actually remember all those passwords. Sounds almost as hard as it actually is.

However, it is actually quite simple to have to remember only one single password, with no need to be using a password manager software or writing anything down. What you have to remember is not really a password though, but a brief algorithm that will create a secure password, unique for every site you are using.

When you come back to the same site, you only need to apply that algorithm and you know what password you were using on that particular site. Easy.

An example for your account on HN, or to be more precise on “news.ycombinator.com”. To make things easier, take only the domain name “ycombinator.com”, that is 15 characters. Now, make up a first step for your password algorithm:

(1) domain.length * 3 - 11 = 34

That is a random number nobody will figure out, unless they have at least a couple of your passwords in clear text and know that you are using some sort of math formula to get it. Pretty unlikely. Next line in you algorithm:

(2) domain[3] + 2 = “o”

Take the character at position 3, that is the “m”, and use the character that comes 2 positions after the “m” in the alphabet, that is the “o”. Finally, a third line for your password algorithm and we are done.

(3) domain[-5].uppercase + domain[-7] = “Oa”

Take the fifth last and seventh last characters from the right, that is “O” and “a”, and use an uppercase for the fifth last. Think of any other algorithms to create “randomness” in your password. Maybe (4) if the domain name has an even number of characters, you through in a “&”, and if it has an odd number, you instead use “#(“.

Your actual “password to remember” is your algorithm that can create any number of unique and unbreakable passwords. Put your new password together and insert some random characters to make it long enough. Those random characters will be the same for all your passwords:

“9” +(1)+ “3” +(2)+ “C” +(3)+ “,” +(4)+ “m”

That would give you a great and secure password only for HN and without a need to use a password manager: “9343oCOa,#(m”

An attacker would have no clue what parts are static (repeated on all of your passwords) and what parts are variable. And even if they had, they have no idea how you got to the values of those variables. In most cases it probably would be enough to only use two or three variable parts. But, for the paranoid, it would also be possible to make the complete password variable.