0

I have come across many users who maintain a re-used password for each and every website, such as P@ssw0rd123

The problem with this approach is if someone breaches the protections of a particular website then user security will be in vain.

Many websites still store passwords in the database in an unencrypted format. Suppose I have access to the database of a particular website. Then I can steal the username and password and just imagine the havoc that I can create with the users who re-use passwords for every website/portal/platform.

How to solve this problem? What algorithm should a user follow to maintain the password for different websites/portal who have no knowledge of security and other technical stuff?

This question is intended for general purpose users who don't have any knowledge of security, so tools like password card, password manager or hash tools not going to solve the problem.

Instead how about having the password like

domain_name + combination of unique keywords per website + unique special characters per website ?

Pawan Patil
  • 387
  • 3
  • 11
  • 4
    My grandmother uses a password manager and knows nothing about security. It ***IS*** the answer. – schroeder Nov 12 '18 at 12:42
  • The duplicates answer you. The problem is that if the password with an obvious pattern is stolen, then you can easily guess every password the user has. – schroeder Nov 12 '18 at 12:43
  • Since this question specifically says do not say password manager, simply advising people algorithms to tweak passwords leaves them susceptible to the wide libraries password of password mutation algorithms that are designed to target this. I remember reading a paper a while back talking about how long memorable sentences are one of the only targets that are impractical for cracking algorithms to waste their time on. So maybe advise something more in that direction? – codykochmann Nov 12 '18 at 12:53

2 Answers2

4

There are different mitigations suggested like for example PasswordCard or some hints how to extend your password with the site name or even hash tools.

But the only best practice is to use a password manager with a strong master password and generate random passwords for each site.

Josef
  • 5,903
  • 25
  • 33
3

As @josef already mentioned, the best solution is to use a password manager and generate a random password for every account.

Here are a few best practices regarding the use of e.g. KeePass:

  1. Make sure you choose a very good master password. This is crucial since a compromise of your password manager would lead to a compromise of every account stored in the password manager's database!. This password should not be written down, except - depending on your threat model - on a single piece of paper you keep in a safe deposit box (for you family in case of your death etc.)
  2. Use multi-factor authentication when feasible. KeePass, for example, supports Yubikey, key files etc.
  3. Segregate your password manager databases. E.g. have one "high security" database (may contain banking details etc.) and a "medium security" database (may contain social media logins etc.). This can also be extended to store a very secure, randomly generated password for the high-security database in your medium security database.
  4. Backup and test-restore your backups! If your database gets corrupted, you'll be locked out of every account stored in the password manager's database!
  5. Do not leave your password manager's database unlocked longer than necessary. Scripts like PowerSploit contain modules that specifically look for unlocked KeePass-files.
  6. Keep your systems safe, up to date and clean. A compromised system leads to a compromised password database leads to a compromise of every account stored in the password manager's database!
schroeder
  • 123,438
  • 55
  • 284
  • 319
SeeYouInDisneyland
  • 1,428
  • 9
  • 20