The Sandwich Password!

Firstly the disclaimer:

I’ve been umming and ahhing about whether I should write this or not for some time. My issue is ‘this’ could be helpful to some and by showing them a really easy trick they start moving away from the bad habits they have now. On the flip side I am not an expert in this area and even I can see the limitations in this approach. That said, here it is as I think continuing to build awareness cannot be a bad thing.

I hope this doesn’t apply to you!

It’s horrifying how many people use the very same password for every login. At one point in time this included me, and if you are still doing this please read on.

I was forced to change my ways.

I got ‘hacked’, ‘phished’ is probably more accurate. I wanted to buy something so Googled it, followed a linked, added it to the cart and clicked checkout. I needed to register before I could go any further, but it said it recognised by email address. Weird but I didn’t really give it any thought so tried to login. I had two passwords at the time which together would pretty much get you into anything. I tried both with no joy. I tried clicking “reset password” but no email arrived.

I didn’t waste any more time, went back to Google found a different website and continued with on different site.

Anyway, I can’t be sure it was that website that was responsible but it was the only thing that came to mind when my Facebook profile started to like dozens of weird pages and other odd things started to happen across other social media platforms.

Point is I was stupid (and incredibly lucky)! Why the website, if it was the culprit, didn’t just put inputs for card details I do not know!

Over the next couple of days I had to change my password on every service I had ever used. Before I was using just two password so the idea of now having to remember dozens was a little daunting but I knew I had to limit my exposure from any future ‘hackings’.

The Sandwich:

So many websites require a similar pattern. So I created a password format which followed that. 12 characters with, some capitals, some specials, numbers etc… with a part of the website domain also tucked in there like a sandwich.

This is a simplified version of what I ended up with:
* ABC_face1234
* ABC_twit1234
* ABC_link1234

A better version would look like: (I call it the club sandwich)
* YO!fa!8_ce81
* YO!tw!8_it81
* YO!li!8_nk81

You get the idea. If someone wants to get in this really won’t stop them for long. If they have one of your passwords in front of them they’ll probably see what you’re doing. But this isn’t really designed to stop people but dumb robots. You see places like pastebin (sorry pastebin) are riddled with massively long lists of hacked email address-and-password combos which bots/scripts then run through to see what they can login to. I’m not saying people don’t do the manual work and I’m definitely not saying this is perfect but it does give you a small guard against losing a master key while remaining easy to remember. An added benefit is a sort of audit trial. If one of your passwords does turn up in plain text on the web you’ll know which service was breached.

If you are using the same password for everything please stop. Please take this not as a direct suggestion but as inspiration and proof that having ‘unique’ passwords really does not need to be that hard.


If you enjoyed this article please hit ♥ so others can find it!

Hi I’m Paul, Web App Developer and Co-founder of LimeNinja. Get in touch via Twitter, LinkedIn or Email.