5

I have a strong password which is a long, unfamiliar word phrase. I would like make other account use a password with similar level of complexity but I don't like to remember so many password over different login ( important emails x 3, bank login x 1 ).

Can I replace some word of the above stated password and use it anyway? For example: aaLongDifficultPhrase, bbLongDifficultPhrase?

I would not bother trying password management software because there are only 1 master password which can reveal all password you own. I would never write down my password.

lamwaiman1988
  • 183
  • 2
  • 7
  • 3
    There is a similar question which might be helpful to you: http://security.stackexchange.com/questions/1222/is-there-a-method-of-generating-site-specific-passwords-which-can-be-executed-i – twobeers Jul 30 '12 at 08:36
  • Your passwords are not a random combination of characters? – Quora Feans Jan 29 '16 at 13:17

4 Answers4

7

This is an interesting question. A general rule in cryptography is that creating any patterns in keys or passwords is a bad idea, because patterns weaken the system. For example in your case say you log into 10 websites using a base password of myb@s5PW, and add a password suffix on the end. Maybe for stack exchange you use myb@s5PWstEX, for blog site a you use mhb@s5PWblSI, etc. Or maybe you use aamyb@s5PW and bbmyb@s5PW instead. Either there is a discernible pattern, even if there's only one password known.

Let us say that Stack Exchange was hacked (unknown zero day vulnerability, nothing they could do about it), and all user passwords were gained, including yours. I'm sure that somewhere someone is putting this information into a database, so that DB will then have your username with a password next to it. Say then the blog site was hacked the same way, then there would be two passwords linked to your username with an easily understood pattern. If someone wanted to hack one of your other accounts all they'd have to do is make educated guesses based on the pattern. You could make this more difficult by making your patterns more complex, but it's so easy to brute-force all combinations of myb@s5PW that no amount of complexity isn't going to make that strong. If fact it wouldn't be a stretch for an attacker to figure out your pattern even with one example, if they were looking for it that is, but it's unlikely one would try unless they were targeting you specifically.

So from a pure code-breaking perspective it's a bad idea, but like so many other things in security that's not the only factor. The fact is that most people use the same password for multiple sites with no variation at all, so a hacker who gains the password for one site will in many cases get access to loads of other sites. Why would a hacker go through the trouble of looking for patterns when they potentially have millions of user accounts to tap with no work whatsoever? Only if they are targeting you specifically would you need to worry about that.

Add to that the issue of remembering multiple complex passwords. Unless you are Rain Man you would never be able to memorize 40 strong passwords, so having a base password system that makes sense to you but would take some work to figure out is a workable solution for today's authentication issues.

As as for keeping them all straight write them down, and keep them in a locked desk at work or in a locked drawer in your home. Seriously, the vast majority of people who are trying to gain your passwords are probably halfway across the world from you, who is going to break into your home or work to gain the passwords to your stack exchange account!

This is an approach based on someone with an average level of risk. If you do know someone who might break into your home in order to gain your passwords then using any sort of pattern in your passwords is a bad idea.

GdD
  • 17,291
  • 2
  • 41
  • 63
  • Nice answer, although there are many more scenarios (and probably more likely ones) than 2 remote systems being compromised / reconciled – symcbean Jul 30 '12 at 12:00
3

IF an skilled attacker concentrates his efforts on only you, IF he manages to compromise the password of one of the accounts you own, yes he could potentially compromise all the other accounts you own by trying a variation of the password he compromised.

However, how likely is that unless your passwords unlock millions of dollars or valuable top secret documents?

With the current techniques of cracking passwords - database dump, crack 80% of the passwords in the database using dictionary attacks - I would say it is safe.

If the password is sufficiently long and complex, even the compromised password hash might not be easily cracked.

  • +1 because unexplained downvoting is bad for the community, and I don't see anything particularly wrong about this answer. – Polynomial Jul 30 '12 at 08:24
3

If an attacker gets access to your password in plaintext, e.g. through a website storing passwords as plain text, or by breaking hashes (pretty easy on a GPU), he could probably deduce any scheme involving the site name, e.g. "stackRealPassword", "gmailRealPassword", "bankRealPassword".

I think you've misunderstood the security model of password managers. If you choose a single strong unique password and memorise it, then you're safe as long as the password manager is secure and the password you chose is secret and unique. The key derivation function used in them is slow enough to completely prevent bruteforcing. I personally suggest KeePass, since the key derivation function can be tweaked (i.e. iteration count changed) to fit your own personal security requirements.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • When you said "the password manager is secure", what do you mean? Do you mean the internal algorithm or the access of the password manager itself physically? – lamwaiman1988 Jul 30 '12 at 09:07
  • Algorithm, plus the fact that gaining local access to the password manager is unlikely. Even if they did have physical access, KeePass requires the password to be entered again if you've not opened it in the last few minutes, and that timeout can be customised. Combine this with a policy of locking your workstation when you leave it, and you'll be more than safe enough. – Polynomial Jul 30 '12 at 09:09
  • "_by breaking hashes (pretty easy on a GPU),_" Not "pretty easy". He said his password was very strong. – curiousguy Jul 30 '12 at 13:48
  • @curiousguy 45 billion hashes per second strong? – Polynomial Jul 30 '12 at 14:03
  • @Polynomial 45 billion hash/sec on even a salted SHA1 is still a [really long time](http://www.wolframalpha.com/input/?i=2%5E160+%2F+45000000000+%2F+60+%2F+60+%2F+24+%2F+365+years). – pdubs Jul 30 '12 at 14:40
  • @pdubs Your calculation assumes, falsely, that the keyspace is `2^160`. In reality it'll be more like `98^(n+1)` where `n` is the maximum password length, since there are roughly 98 printable characters on a standard QWERTY keyboard. For a ten character password, you're looking at ~60 years. Perfectly feasible. For longer passwords, it gets much more implausible, so you have a point there. – Polynomial Jul 30 '12 at 15:08
  • @Polynomial My point was more that brute-forcing even a relatively fast hash isn't a trivial endeavor (at least financially). Passwords should be changed at a period shorter than 60 years anyways. – pdubs Jul 30 '12 at 15:17
  • @pdubs Just because you choose good passwords doesn't mean everyone does. The trick is to choose a scheme that protects the highest percentage of your users. – Polynomial Jul 30 '12 at 15:22
1

Regardless the strength of your password, I suggest it's not that safe to keep the same password for all your accounts, because although your password may be strong, if any breach occurs in the site for which you are signed up then its not at all an issue with the strength of your password. So maintain slight differences for your passwords which no one other than you can guess those. Likewise the phrases you mentioned, those are safe enough as well as good to remember.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
Krish23
  • 11
  • 2