{"id":1598,"date":"2026-01-31T05:18:46","date_gmt":"2026-01-31T05:18:46","guid":{"rendered":"https:\/\/www.woodcentral.com\/-\/peter\/?p=1598"},"modified":"2026-05-24T11:28:10","modified_gmt":"2026-05-24T11:28:10","slug":"deterministic-per-site-passwords","status":"publish","type":"post","link":"https:\/\/www.woodcentral.com\/-\/peter\/deterministic-per-site-passwords\/","title":{"rendered":"Deterministic per-site passwords"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\"><strong>Deterministic per-site passwords<\/strong> solve reuse without requiring memorization of dozens of random strings. The trick is to make the algorithm:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>easy to compute mentally<\/li>\n\n\n\n<li>different per domain<\/li>\n\n\n\n<li>resistant to trivial guessing if one password leaks<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Below are <strong>workable mental algorithms<\/strong>, followed by <strong>important caveats<\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Core design principles<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Any mental password algorithm should include <strong>all three<\/strong>:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>A private secret<\/strong> (never appears verbatim)<\/li>\n\n\n\n<li><strong>A site-derived component<\/strong> (from the domain)<\/li>\n\n\n\n<li><strong>A transformation<\/strong> (not just concatenation)<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">If you skip #1 or #3, it becomes guessable once one password is known.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Algorithm patterns that actually work<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">1. Domain slicing + private shift (robust, mental)<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Setup (once):<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Choose a private base word: <code>RedOak<\/code><\/li>\n\n\n\n<li>Choose a private number offset: <code>+3<\/code><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Per site:<\/strong><\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Take the domain name without TLD\n<ul class=\"wp-block-list\">\n<li><code>amazon.com<\/code> \u2192 <code>amazon<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Take letters 2\u20134\n<ul class=\"wp-block-list\">\n<li><code>amazon<\/code> \u2192 <code>maz<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Shift each letter forward by your private offset\n<ul class=\"wp-block-list\">\n<li><code>m\u2192p<\/code>, <code>a\u2192d<\/code>, <code>z\u2192c<\/code> \u2192 <code>pdc<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Combine with base + symbol rule\n<ul class=\"wp-block-list\">\n<li><code>RedOak!pdc<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Why this works<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Bots won\u2019t know which letters you extract<\/li>\n\n\n\n<li>Even knowing one password doesn\u2019t reveal the offset or base<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">2. Vowel\u2013consonant encoding (very human-friendly)<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Setup:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Private word: <code>Birch<\/code><\/li>\n\n\n\n<li>Rule: vowels \u2192 numbers (<code>a=1 e=2 i=3 o=4 u=5<\/code>)<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Per site:<\/strong><\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Domain core: <code>github<\/code><\/li>\n\n\n\n<li>Extract vowels only: <code>iu<\/code><\/li>\n\n\n\n<li>Encode: <code>i=3 u=5<\/code><\/li>\n\n\n\n<li>Append with capitalization rule:\n<ul class=\"wp-block-list\">\n<li><code>BiRch35#<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">This is easy to compute and surprisingly hard to reverse.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">3. Position math (low memory, high entropy)<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Setup:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Private phrase: <code>NorthStar<\/code><\/li>\n\n\n\n<li>Private number: <code>7<\/code><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Per site:<\/strong><\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Domain: <code>paypal<\/code><\/li>\n\n\n\n<li>Count letters: <code>6<\/code><\/li>\n\n\n\n<li>Multiply: <code>6 \u00d7 7 = 42<\/code><\/li>\n\n\n\n<li>Insert into phrase at position = first letter\u2019s alphabet index\n<ul class=\"wp-block-list\">\n<li><code>p = 16<\/code><\/li>\n\n\n\n<li><code>NorthStar<\/code> \u2192 <code>NorthStar42<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Looks simple, but the hidden rule is non-obvious.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">4. Hybrid mnemonic sentence (very resistant)<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Setup sentence (never typed):<\/strong><\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">\u201cMy red dog eats mail at night\u201d<\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Rules:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Take first letters of words = mrdeman<\/li>\n\n\n\n<li>Replace one letter with domain letter<\/li>\n\n\n\n<li>Add fixed punctuation<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Example (<code>reddit.com<\/code>):<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Replace 3rd letter with <code>r<\/code><\/li>\n\n\n\n<li><code>mrr eman!<\/code><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Messy-looking, human-generated, not dictionary-based.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">What NOT to do<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">\u274c <code>BaseWord + domain<\/code><br>\u274c <code>BaseWord + first 3 letters<\/code><br>\u274c Simple substitutions (<code>a \u2192 @<\/code>, <code>o \u2192 0<\/code>)<br>\u274c Anything reversible once one password leaks<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Attackers <strong>do analyze leaked password sets<\/strong> for patterns.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Important reality check<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Mental algorithms are <strong>better than reuse<\/strong>, but they are still weaker than:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>a password manager<\/li>\n\n\n\n<li>random 20\u201330 character passwords<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">If you ever reuse the same algorithm on:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>email<\/li>\n\n\n\n<li>banking<\/li>\n\n\n\n<li>hosting \/ DNS<\/li>\n\n\n\n<li>admin accounts<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\u2026you are accepting real risk.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Bottom line<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Yes, domain-based mental algorithms <strong>can be safe enough<\/strong> if:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>they include a private secret<\/li>\n\n\n\n<li>they transform, not append<\/li>\n\n\n\n<li>you assume one password <em>will<\/em> leak eventually<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Passphrase generator<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The following can be used to generate passphrases based on random words:<\/p>\n\n\n\n<div class=\"wp-block-buttons is-layout-flex wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button\"><a class=\"wp-block-button__link wp-element-button\" href=\"\/?p=Passphrase_Generator\">Generate Passphrases<\/a><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Deterministic per-site passwords solve reuse without requiring memorization of dozens of random strings. The trick is to make the algorithm: Below are workable mental algorithms, followed by important caveats. Core design principles Any mental password algorithm should include all three: If you skip #1 or #3, it becomes guessable once one password is known. Algorithm &#8230; <a title=\"Deterministic per-site passwords\" class=\"read-more\" href=\"https:\/\/www.woodcentral.com\/-\/peter\/deterministic-per-site-passwords\/\" aria-label=\"Read more about Deterministic per-site passwords\">Read more<\/a><\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-1598","post","type-post","status-publish","format-standard","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/www.woodcentral.com\/-\/peter\/wp-json\/wp\/v2\/posts\/1598","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.woodcentral.com\/-\/peter\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.woodcentral.com\/-\/peter\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.woodcentral.com\/-\/peter\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/www.woodcentral.com\/-\/peter\/wp-json\/wp\/v2\/comments?post=1598"}],"version-history":[{"count":0,"href":"https:\/\/www.woodcentral.com\/-\/peter\/wp-json\/wp\/v2\/posts\/1598\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.woodcentral.com\/-\/peter\/wp-json\/wp\/v2\/media?parent=1598"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.woodcentral.com\/-\/peter\/wp-json\/wp\/v2\/categories?post=1598"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.woodcentral.com\/-\/peter\/wp-json\/wp\/v2\/tags?post=1598"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}