Deterministic per-site passwords solve reuse without requiring memorization of dozens of random strings. The trick is to make the algorithm:
- easy to compute mentally
- different per domain
- resistant to trivial guessing if one password leaks
Below are workable mental algorithms, followed by important caveats.
Core design principles
Any mental password algorithm should include all three:
- A private secret (never appears verbatim)
- A site-derived component (from the domain)
- A transformation (not just concatenation)
If you skip #1 or #3, it becomes guessable once one password is known.
Algorithm patterns that actually work
1. Domain slicing + private shift (robust, mental)
Setup (once):
- Choose a private base word:
RedOak - Choose a private number offset:
+3
Per site:
- Take the domain name without TLD
amazon.com→amazon
- Take letters 2–4
amazon→maz
- Shift each letter forward by your private offset
m→p,a→d,z→c→pdc
- Combine with base + symbol rule
RedOak!pdc
Why this works
- Bots won’t know which letters you extract
- Even knowing one password doesn’t reveal the offset or base
2. Vowel–consonant encoding (very human-friendly)
Setup:
- Private word:
Birch - Rule: vowels → numbers (
a=1 e=2 i=3 o=4 u=5)
Per site:
- Domain core:
github - Extract vowels only:
iu - Encode:
i=3 u=5 - Append with capitalization rule:
BiRch35#
This is easy to compute and surprisingly hard to reverse.
3. Position math (low memory, high entropy)
Setup:
- Private phrase:
NorthStar - Private number:
7
Per site:
- Domain:
paypal - Count letters:
6 - Multiply:
6 × 7 = 42 - Insert into phrase at position = first letter’s alphabet index
p = 16NorthStar→NorthStar42
Looks simple, but the hidden rule is non-obvious.
4. Hybrid mnemonic sentence (very resistant)
Setup sentence (never typed):
“My red dog eats mail at night”
Rules:
- Take first letters of words = mrdeman
- Replace one letter with domain letter
- Add fixed punctuation
Example (reddit.com):
- Replace 3rd letter with
r mrr eman!
Messy-looking, human-generated, not dictionary-based.
What NOT to do
❌ BaseWord + domain
❌ BaseWord + first 3 letters
❌ Simple substitutions (a → @, o → 0)
❌ Anything reversible once one password leaks
Attackers do analyze leaked password sets for patterns.
Important reality check
Mental algorithms are better than reuse, but they are still weaker than:
- a password manager
- random 20–30 character passwords
If you ever reuse the same algorithm on:
- banking
- hosting / DNS
- admin accounts
…you are accepting real risk.
Bottom line
Yes, domain-based mental algorithms can be safe enough if:
- they include a private secret
- they transform, not append
- you assume one password will leak eventually
Passphrase generator
The following can be used to generate passphrases based on random words: