5

I was thinking about password security this morning. Mainly, about the recent adobe hack releasing thousands of passwords.

The current problem with existing passwords is that you have three options:

  • Use the same password on every sites
  • Use a few passwords for different sites (bank accounts, game websites/accounts, email, etc all get one
  • Get a program such as lastpass which must be installed to every computer you want to use to login to a website.

The former two are very insecure but are easy to remember. The latter is very secure, however inconvenient because you can't use it on, say, a public computer. This basically locks you out of any computer that you don't have install permissions on.

So I thought of this idea:

  • Start with a secure base, like fWi3$aLj that will be used on every website
  • Add the first three letters of the URL to the end of it, so that every website gets its own password
  • Add a 1 for .com, 2 for .net, 3 for .org and a 4 for anything else to the very end
  • For example this website's password (with the above secure base) would be fWi3$aLjsec1.

Pros:

  • Every website gets its own password (except in rare cases, but then the password will be applicable to very few other websites)
  • It's very secure password as you only have to worry about remembering one, so you can make it very complex (because you won't have to remember a new one for every website)
  • If a database is leaked or your password is found in any other way you only have to worry about changing the password to that website
  • You don't have to remember multiple passwords
  • Unless you tell someone, there's no way for anyone to figure out you're doing it
  • You don't need any special software or anything

So I was wondering if there are any downsides to doing this. I just came up with it today however I think I may go and change my passwords if there are now downsides.

user34311
  • 51
  • 1
  • 2
    I run into this suggestion quite often. Depending on the URL, it might be easy for an attacker to decypher your scheme. This is more secure than using the same password, but that's about it. – David Houde Nov 17 '13 at 07:03
  • You don't have to install LastPass - you can access login details via the website (you could use your mobile for extra security) and there's a smartphone app. Using this method would be much more secure than inventing your own password convention that could be deciphered. – SilverlightFox Nov 18 '13 at 10:23
  • Your secure base reminds me of this: http://xkcd.com/936/ – Martin Thoma Nov 18 '13 at 22:03

5 Answers5

5

One password is strong. But where it would fail spectacularly is if the hacker cross referenced your user ID between two different hacked sites.

Site           UserID               Password
-------------  -------------------  ------------
Adobe          user34311@gmail.com  fWi3$aLjado1
Sony           user34311@gmail.com  fWi3$aLjson1

The similarities suggest a simple test. Use google to find a user34311 somewhere on the web:

stackexchange  user34311@gmail.com  fWi3$aLjsta1

And the success leads to aiming for a payout:

Citibank       user34311@gmail.com  fWi3$aLjcit1
Chase          user34311@gmail.com  fWi3$aLjcha1
Wells Fargo    user34311@gmail.com  fWi3$aLjwel1
John Deters
  • 33,650
  • 3
  • 57
  • 110
4

No. This is not significantly more secure than using the same password everywhere.

The point of using different passwords on different websites is that if one password is compromised, they can't get on your other websites. With your approach, while it's true they are different passwords, if an attacker knows one password they can likely figure out the others.

paj28
  • 32,736
  • 8
  • 92
  • 130
  • +1, but caveat: It isn't /significantly/ more secure, but it /is/ more secure. In the case where an attacker grabs 1 million passwords, he's not going to spend time going through and figuring out which are formulaic, he'll just try and re-use them as is. – gowenfawr Nov 17 '13 at 15:04
  • 1
    "...if an attacker knows one password they can likely figure out the others." How? How can attacker even know you used some kind of algorithm to forge a password? – StupidOne Nov 17 '13 at 15:07
  • 1
    By looking at the password and knowing some of the common algorithms people use. In this particular case, using the first three letters of the url is pretty obvious. The number at the end less so - but an attacker would likely try to brute force the final number. – paj28 Nov 17 '13 at 15:14
  • But an attacker wouldn't know that out of a *million* passwords leaked, that this individual password has a method to how it was made. They'd figure I use different passwords on different websites and give up on it, right? – Jon Nov 17 '13 at 18:53
  • They wouldn't know for sure, but maybe they'd try to see if they got lucky. That's the mindset of a hacker. If a million passwords got leaked, they probably would just go for the low hanging fruit. But are you comfortable relying on that? I know I'm not. – paj28 Nov 17 '13 at 19:20
0

I think your idea is a good one (I have my own an algorithm), but I found a downside:

  • Changing password might be hard. I mean, it is a good practice changing passwords periodically, but it also specify us to change the algorithm of creating a password.

Problem starts from here: how can you tell yourself if it is a second, third, ... generation of password, which algorithm have to be used?

This kind of password management is not safer than others, but it will help you remember your passwords without storing them anywhere, which is - we can say - unsecured.

kawa
  • 19
  • 2
  • You better change all your passowrds if you are changing the base or algorithm which is not going to be easy. Also, stangely some sites dont allow special characters in the passwords for some reasons which will break your base word if it included any. – AdnanG Nov 17 '13 at 12:38
0

I have thought about a similar password system for a while. I just have chosen some more complex variables like the sum of digits of the zip code etc, but that's not the point.

As others noted, it is still possible to discover your pattern. I think if somebody has at least two of your passwords, this shouldn't be very hard. But I think there is a simple solution to this problem: Just hash your individual site password and maybe mix the hash with some special chars to make it stronger.

You could also add a counter (or for example the year of password generation) to each individual password. On this way it is possible to change the passwords easily. Maybe you have keep the year or counter in a file or database, but for your most visited sites it shouldn't be hard to remember the counter.

The only problem I see with this system is the calculation of the hashes without leaving traces (especially on public computers). This might be possible with a small web application running on your own webspace or server over a secure connection.

trent
  • 86
  • 1
  • Most hashes aren't really a do-it-in-your-head routine so they'd require software. The OP claims that "no software" is an advantage. – John Deters Nov 17 '13 at 23:53
  • That's a fair argument, but to be accurate, he claimed that "no special software" is an advantage. I'm not sure in how far a hashing function is counted as a special software. A hashing function/program should be available on every Unix system and also be provided by many websites as a service (and be usable without constraints if you trust the site). – trent Nov 18 '13 at 00:23
0

Hacker's point of vue.

Hipotesis: I'm a dangerous hacker. I hold some websites for unimportant purposes, but with standard account managing. As my goal is to steal passwords, my password database is not hashed nor crypted (only hidden)... Or maybe, I've simply grab password database from some adobe, hotmail and some others...

So your password is built in two distinct part. But as you made an account on two different of my hacked sites:

  • The first part of them could be very quickly identified.
  • The second part is distinguishable too and as there is no random part, there is only to understand how. But nothing more to do.

Yes, from there, I only need to know two of your password to be able to guess all your other.

Thank you for sharing your password!

F. Hauri - Give Up GitHub
  • 4,597
  • 2
  • 19
  • 32