Are algorithmically-generated personal passwords a security risk?

Question

We all know why password reuse is bad: eventually some site at which you have an account that did not properly hash+salt user passwords will get hacked, and your password will be published in a big dump. Then some hackers will take that user/pass combination and try it on every site they think that can get something useful from.

I know that password managers are the recommended solution to having a unique totally random password for every site. But they are not completely without their own difficulties, and especially trying to persuade non-technical people to use them may be difficult. Instead, as a minimal alternative to shared passwords, one might have a simple algorithm to generate unique passwords from a shared random component. A minimal example might be <sitename>_<good random password>. So my passwords might be

stackoverflow_rm6Z0$f237db^DGYU3r 
google_rm6Z0$f237db^DGYU3r

etc, where the second part is shared. Now, any idiot actually trying to hack me specifically could probably guess my algorithm even knowing only one password, and trivially if they got ahold of two, so if I were for some reason a high-profile target this would be a bad plan. But if anyone wanted to hack me, I'm probably in trouble no matter what I do. Assuming I'm not a high profile target, it seems to me a simple algorithm like this would protect me from the majority of password-reuse dangers, because no human will ever see my password specifically.

So really I'm asking, is this reasoning flawed? Is this kind of algorithmically-generated password actually any safer than exact password reuse? Or are password dumps used differently than I have in mind? The accepted answer to this question suggests that varied passwords are only useful if it is hashed, but to me it seems that a hacker having the cleartext password doesn't help them.

I agree this is fundamentally security-by-obscurity, but maybe security-by-anonymity would be a better title. My password would be one of a million in a big dump, with essentially zero chance that any human would ever actually see mine.

the question (edited to be more explicit):

Assume that:

• An average person (not a high profile target for hackers) uses an algorithm to generate unique site passwords.
• The algorithm is extremely simple, so that a human could guess the algorithm given even a single password
• One or more of those passwords have been obtained by hackers

Is this person any less likely to be hacked on other sites than a person who uses the same password on every site? If not, is it because

• There is a reasonable chance that a human will actually look at this password?
• Attackers already look for some kinds of algorithmically-generated passwords?
• Some other reason?

Note:

Many have pointed out that using a password manager is a better idea. In particular ThoriumBR and others point out that this scheme is unsustainable, because once I need to change one of the passwords, I now have to change my algorithm.

These are very good points, but not what I am hoping to learn from this question.

Answer 1

The main issue with a "password generation algorithm" is that the passwords are fixed. You cannot change a single leaked password without changing the algorithm, thus changing every password.

To avoid that, you had to record somewhere the sites using the first version, the ones using the second one (because the password generated by the first leaked), the sites using another one because the algorithm generated a password unacceptable by some site, and so on.

And some sites require you to change your password from time to time. So you would have to take that into account, and record more and more information just to keep in pace with the state of the passwords. And for that, you would need a secure data storage, with encryption, a backup process, something easy to use and easy to be integrated on your online routine.

Losing any of those records would lock you out, and create an Availability Compromise. Leaking it in plaintext would create a Confidentiality Compromise. Corrupting (or forgetting) any of it would create an Integrity Compromise. You need some software specially created for secure storage.

Something like... a password manager.

Answer 2

ThoriumBR already covered the issue you will face with keeping track of your algorithmic passwords. But focusing on the presented issue:

• you are using an algorithm obvious to anyone which sees even one password
• you don't expect to be targeted individually

The news is, it is not enough not to be important. Attackers won't care. They will compromise anyone they come across. If they have bigger fish at the moment, they may not pay more attention to you for now. Or they could resell you to others.

How they could use your password?

• they could dump the accounts for a site which didn't even hash their passwords. In 2020.
• you provided those credentials on a phishing site
• you registered on an evil website

Literally, what sets you apart from those that used the same password for the compromised account and other sites (which we can expect will be probed first) is just the criminal paying attention and reading your password.

If they extracted just a few dozens of credentials, you can count they will look at them. whereas if they extracted several thousands, and have plenty of working ones, they may not bother. Also note there may be several "recipients" of those credentials. The attacker that extracted them may just sell the list to a different one, which could exploit some of them, classify (depending on the user has an account at, if they were able to crack the password or not, etc.) and resell by pieces. Another one could buy it… It could as well be mixed into a combo with other compromises, reappear years later… And you are betting that at every step nobody realizes. (This would be a bit better if they were rotated periodically, but given the scenario, this it won't be the case)

Are easy-to-guess password generation algorithms any better than exact password reuse for your average user?

If you only care if they are any better, yes, they will be slightly better than repeating the exact same password. But as already mentioned multiple times in this page, use a password manager. Don't close your door with a string just because it's better than a piece of paper saying "please don't enter".

If using a password manager is hard, that is an UI issue, that should be approached and fixed, but that's not a technical problem. Note there are many password managers, some of them commercial. There is room or password managers to "fix their ways" and be even more accessible. still, I would consider learning to use a password manager simpler than having to memorize rm6Z0$f237db^DGYU3r.

If using a password manager software is still too hard (old people, perhaps), despite instructions, having a hard-copy manual, etc. I would suggest using a physical password manager. Simply provide a notebook with already filled random passwords (to sidestep the lack of a proper built-in password generator), and space to input the details on which site it is, username…. It could be organized chronologically or as an address book.

If your threat model does not include physical attackers, this is a perfectly fine solution. And being low-level, it should be simple to learn using.

Answer 3

You seem to think that only a human could figure out your scheme, and that's not necessarily true. Attackers won't just reuse the exact passwords they found, they can also come up with all kinds of tricks, and reverse them.

So let's take your algorithm as an example, and say stackoverflow_rm6Z0$f237db^DGYU3r gets leaked. If I were an attacker, and got a list of all SO-passwords, I'd not only try every password on other sites, I'd also analyze the passwords. So I'd pay attanetion to every password that includes stackoverflow, so, stack, kcats, wolfrevokcats, dysvlpbrtg;pe (that's stackoverflow, but using one key to the right), etc.

So your example would quickly get caught. The attacker probably wouldn't even have to look at you password personally, and a script would be enough to also try out google_rm6Z0$f237db^DGYU3r for a Google-account.

Sure, the password-trying-script needs to be a little more complicated than the version that only tries the exact passwords, but still not terribly hard to write.

Only if you manage to come up with some algorithm that is more complicated than what a hacker could come up with and include in a script, does it add any more security than simple exact reuse.

In addition, if two of your passwords get leaked, the hacking becomes even more trivial. If a script can figure out that two passwords belong to the same person, it's very simple to check them for any similarities, and the space of possible other passwords gets a lot smaller. The attacker needn't even figure out the exact algorithm, just know the common part.

Answer 4

This person is not any less likely to be compromised than someone who uses the same password of equivalent strength on every site. Here's why.

When attackers compromise a site, they can often obtain plaintext credentials. Maybe that's because the passwords weren't hashed, or they exploited a vulnerability in the site and extracted data for a while while the site was running. So while you can't assume all your passwords are compromised, you have to assume that one or more of your passwords will be compromised sooner or later.

As soon as that happens, you have to assume that the attacker knows the plaintext of the password. When that happens, the attacker can and will try variations on the password. Because this password is essentially a theme and variations, it's really likely to fall to a brute force attack, since the attacker is going to try replacing components (like stackoverflow) with other components. That's a standard approach to brute forcing and there are already tools that do this because it works. They will also try incrementing numbers, shifting letters up or down in various ways, and a wide variety of other techniques.

Additionally, even if you think you aren't that important, think about stuff you have that is. If an attacker can guess your bank or other financial institution password, they can probably make off with most if not all of your money. Compromised accounts on sites like StackOverflow can be used as bots to vote posts up or down, which is a commodity that can be sold. An attacker will totally be willing to try different patterns if it means that they can exploit your account to make themselves a few more bucks.

Here's the rule: in order for a password scheme to be secure, knowing one password generated by the scheme must teach you absolutely nothing about any other password.

Now, there is an approach that you could take that would be secure. You could generate a single, strong, cryptographically secure password with 128 bits of entropy and use it as an HMAC key (e.g., with HMAC-SHA-256), with the message being something like 1:stackoverflow (the first password for Stack Overflow), then use an encoded form of that HMAC value as the password for the site. Because these HMAC values are independent and indistinguishable from random, this is secure, provided you properly secure the key and the key is generated randomly with enough entropy.

However, as others have pointed out, different sites have different password policies. So while the approach above is robust and secure, it's practically inconvenient because many sites handle passwords insecurely and therefore have length or content restrictions. I do business with companies that restrict passwords to 20 characters or less, so many passphrases and long random strings are out. This scheme also requires easy access to cryptographic algorithms, which makes it unsuitable for most nontechnical users. So for all of these reasons, we use password managers. They provide the best trade-off between usability and security given the limitations of the real world.

Answer 5

NB: This answer assumes that the <good random password> component is different for each password, which turns out not to match the OP's scenario.

In the case you've presented, your password <sitename>_<good random password> will be exactly as secure as <good random password>. If that component of the password string meets your security requirements, then the whole password does. The <sitename>_ bit just serves as a "tag" to help identify the password; and it might help a non-technical user feel more in control of the other, legitimately random component.

As you said, the scheme surrounding the presumably good, random bit adds only a minuscule amount of additional entropy, because it's very easy to guess the scheme — even without seeing any of your passwords. It's probably one of the 20 or so easiest-to-think-of schemes that are available, so you can bet that real attackers and users are using it, right now.

Once the scheme is identified, the _ adds maybe another bit or two of entropy: an attacker could anticipate it to be one of a few common separator characters, including -*:; ,/. — again, not a significant source of entropy.

However, one unfortunate obstacle is that many websites restrict the maximum length of a password. By having an easily guessable component, you are needlessly restricting the security of your password even further than this misguided website. You either have to abbreviate/omit the name, or use a not-so-good random password.

Brick-and-mortar banks are especially bad at this, making this scheme unusable for some of the most important passwords a person has to keep track of. Asking a non-technical user to believe this is safe "for everything except banks" might be a hard sell; but it also inconveniences them to need a separate password scheme for the accounts that matter most to them.

Answer 6

<sitename>_<good random password> will provide some more protection than reusing <good random password>, but it doesn't provide that much protection.

Let's look at some possible attacks:

1. Trying exact leaked passwords on other sites.

   You're not vulnerable to this one.

   I expect this is the most common attack, as it's the easiest and there are plenty of people who reuse passwords. But there are a few other attacks I can think of below.

2. Browsing leaked passwords and spotting yours.

   I'm willing to bet that a decent number of hackers just browse leaked passwords occasionally to try to spot patterns and come up with attack strategies.

   It may not be super likely that they'd see your password specifically, but, if they do, they'd have a pretty good guess as to which password you're using on another site (especially if multiple of your passwords have leaked).

3. Trying to find patterns in passwords of the same user (not targeted).

   One can, for example, run a basic string similarity algorithm on all passwords with the same email address and then manually check any that have a strong similarity.

   In your case, this would almost instantly tell them what your passwords on other sites would be.

   They could also just look for "*sitename*" to find you.

   You'd be pretty vulnerable to this one.

4. Targeted by a skilled hacker.

   You'd be vulnerable to this, but, as you say, this probably isn't going to happen, since you're not a high profile target, and you're probably not going to be able to protect yourself from this to any significant degree if it does happen.

   But "I'm vulnerable no matter what" is not really a good excuse to not even bother trying to protect yourself, especially if it doesn't add much of a cost to you.

5. Targeted by more of a casual hacker.

   Maybe your vengeful ex is a hobbyist hacker knows a bit about computers or you said something online that triggered some hacker who has nothing better to do.

   These are probably going to be far from the best-of-the-best hackers, but you can assume a basic competence, at least.

   As long as they have your email address, you'd be pretty vulnerable to this.

   As jpaugh points out, this would also apply if you intentionally share one or more of your passwords with your partner or someone close to you (which you really shouldn't do, but it happens sometimes). Ideally you'd change any password before sharing it, but then you're back to needing to use multiple passwords.

Answer 7

As you are aware that re-using the same password for multiple unrelated sites is a poor security practice, you are on the right path to reach a better security world...

But only using a simple deterministic algorithm to build your passwords leaves you half the way. Just dare do the next step and choose a good password manager (Keepass is one) that will be able to generate a new random password for each and every new site. You will get good passwords for any site, and you will only have to remember one single master password.

That way, if one password is compromissed, there will be no way to guess any other password. Of course, the downside is that you will now have to protect the password vault with a good master password, and do your best to prevent possible attackers to access either the master password or the vault.