Password Management

Password management is a pain. Ideally we would not still be using passwords. Fortunately we are headed in the direction of easier to use and more secure authentication with FIDO/WebAuthentication, now supported in all current major browsers and in many mobile devices and laptops.

Until sites replace password authentication with Web authentication we will still need to manage passwords. Even in a world of Web authentication it may be common to use passwords as a backup authentication mechanism. So here are some password management ideas.

Caveat: I am not a security expert. I am simply gathering some ideas I have encountered.

1. Goals

Here are a few user experience goals to improve password management:

We also have some security goals:

Below we look at how to achieve both security and usability goals:

For some situations where you cannot have both, I would favor security.

2. Computation of Secure Passwords

If you compute your secure password when you need it, you don't have to memorize it or write it down. If you compute your password using the right tools, it will also satisfy our security goals of being unique for each site and complex. Because there are many tools for doing these computations, you don't have to rely on any single tool.

Here's one approach for creating a secure password:

In summary, the above password formula combines these parts:

  1. One or more uppercase letters (e.g., your initials so they are easy to remember).
  2. The first 8 characters of the SHA3 hash of "key@domain". The "domain" part changes for every site (e.g., They "key" is your secret that you reuse for all your passwords. Don't write it down!
  3. One special character (not a letter or number). Note: Some sites (unhelpfully) limit which special characters you can use. I don't have guidance on which ones are commonly accepted.

Using the formula consistently will make it easier to remember. It is something of a pain to type your information into a hash calculator, then add the other bits at the beginning and end, especially on a small screen. See below for storing these passwords for convenience in some cases.

Note: A colleague has created a password generator that produces results very similar to the above formula. Like the formula above, it uses a varying piece of information (e.g., the domain name) and a consistent piece of information (our secret key) as inputs. It generates passwords that likely conform to the requirements of most sites since they include a mix of uppercase letters, lowercase letters, numbers, and special characters.

Deviations from the Formula

It is pretty easy to memorize a single formula such as the one above. However, in several situations, the formula is not suficient:

If you want to use a password manager for these situations, you won't have to remember that the password for this site does not follow the formula.

But if you don't want to use a password manager, you'll need to keep track of the fact that your password is not "standard" for this site. Instead of writing down your password, I recommend using the formula and writing down only how you deviated. For example, if you computed your first password with, you can compute the next one with In this case you would write a note to yourself: "On November 17 I changed my password for The password uses the usual formula except with domain". Remember, don't write down your secret key!

If you write this type of note, you want to make sure you can find it wherever you may be. You might consider storing this information on your phone and/or on the Web. This is somewhat inconvenient, but preserves the security of your passwords.

Hash Calculators

Hash calculators are widely available as mobile apps and Web sites. They should all produce the same results. Here are a few examples that support SHA3 (with output size 512); I'm not endorsing them just providing some examples:


3. Storage with a Password Manager

A password manager improves usability. The password manager is a vault, protected by a primary password. It helps achieve our initial goals as follows:

It is easy to find information on password managers (e.g., this article Before you use a password manager).

You can find password manager apps that run on your phone or computer. In addition, your browser and operating system may also act as password managers:

Remember, when you store your passwords, other people who can access your browser will be able to use them to log in to Web sites. Consider locking your computer or phone so that it can only be unlocked with biometrics or a password.

If you are not comfortable storing passwords for some sites, just recompute them as needed.

4. More on Creating Secure Passwords

5. Acknowledgments

I'd like to thank Dan Connolly for teaching me the first iteration of this approach!

Ian Jacobs, November 2020