16

Suppose I use remember one long high entropy master password, and use variations of it for each of my passwords.

Eg if I remember tSaF4nWeACVkUU4 as a master password and use tSaF4nWeACVkUU4t (with a t and the end) as my Twitter password and tSaF4nWeACVkUU4g (with a g at the end) as my Google password.

Is this bad practice if so how much variation should I put in different passwords.

user288447
  • 555
  • 3
  • 9

7 Answers7

17

You use distinct passwords on distinct systems because you know that some of these passwords may leak. If your passwords are high enough in entropy then they won't leak through brute force, but they may still leak through some other ways, e.g. server compromise (grabs the passwords as they come by), key loggers (grabs the password as it is typed),... Using distinct passwords is a damage containment feature. To keep server compromises local that server.

If the password for site B can be easily inferred from the password for site A, as in the method you suggest, then you fail at the damage containment. That the password starts with high entropy has no influence whatsoever on that statement. High entropy is about avoiding a breach through brute force (aka "dictionary attack"). However, once another kind of breach has happened, entropy is no longer relevant. Entropy is a measure of what the attacker does not know. If the attacker could grab your password then he knows all of it and there is no entropy any longer. We are past that step.

For damage containment to work, knowledge of your password for site A must yield no information whatsoever about your password for site B -- which means that both passwords must be generated randomly and independently of each other. Notably, while this means that you should not do some "password derivation" as the one you propose, you should not either reject candidate passwords for site B because they would be "not different enough" from the password on site A: such a rejection rule would also help an attacker narrow his brute force efforts.

(Cryptography-powered password derivation from a root password may be applicable, but these things are subtle and, in any case, you won't be able to run it in your head, which voids the usability advantage of having a simple derivation rule.)

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • 1
    _"If the password for site B can be easily inferred from the password for site A, as in the method you suggest, then you fail at the damage containment."_ But can it? What are the odds that anyone will guess that such a scheme is in use, never mind what the scheme is? Granted, I can see how it's safer not to take the chance at all. – Lightness Races in Orbit Nov 06 '14 at 18:49
  • 1
    *"If the password for site B can be easily inferred from the password for site A, as in the method you suggest, then you fail at the damage containment."* Downright wrong, it doesn't fail at damage containment, but merely is less effective at it. – David Mulder Nov 06 '14 at 19:05
  • @DavidMulder Tom's answer is correct. This method is so ineffective at damage containment that utter failure is a correct way of describing it. Once a password on one site is known, the passwords on other sites are known. – Gilles 'SO- stop being evil' Nov 06 '14 at 20:41
  • @LightnessRacesinOrbit The odds are pretty good. People who write password crackers are intelligent (at least some of them are, which is enough to warrant protecting against intelligent password crackers). Trying variations on known passwords is routine for password crackers. – Gilles 'SO- stop being evil' Nov 06 '14 at 20:42
  • @Gilles: Alright then – Lightness Races in Orbit Nov 06 '14 at 20:57
  • @LightnessRacesinOrbit, one standard procedure for generating candidate passwords in an attack is to take all the information known about the target (including any passwords they're known to use) and put it in a wordlist, then run various generation rules against that list. "Root + suffix" is literally the second thing they'll try, after simply using the wordlist as-is. If you're facing a targeted attack (ie. the attacker wants *your* account), the method described in the OP is highly vulnerable. – Mark Nov 06 '14 at 21:13
  • "For damage containment to work, knowledge of your password for site A must yield no information whatsoever about your password for site B..." Not really. A user who is only able to remember n digits per site has *at* *worst* an n digit password. Consider the probability of naively guessing the password, that of guessing it when knowing another password, and that of knowing another password, and you can sort of model the risks entailed. But it's neither strictly accurate nor particularly helpful to suggest that one should only have unique passwords for each site. – D__ Nov 06 '14 at 21:31
  • @LightnessRacesinOrbit Kerckoffs's Principle – PyRulez Nov 07 '14 at 01:36
  • Also he told us. – PyRulez Nov 07 '14 at 01:36
  • @PyRulez: He told us in this one example sure. None of us here are attacking him with a password he's not actually using, though. – Lightness Races in Orbit Nov 07 '14 at 10:36
9

In a perfect world, sure that would be a wonderful method for a human to remember their passwords. However, the world is far from perfect.

The main issue with your method is that if just one of your passwords is ever discovered (through leakages, guesses, breaches, etc) then your entire security apparatus could unravel -because patterns are trivial to detect.

To answer your question on variation; you should have completely different passwords. I know this may seem tedious to remember but consider using a password safe to contain all of your individual passwords and simply remember your (ever changing) master password.

Matthew Peters
  • 3,592
  • 4
  • 21
  • 39
7

This provides almost no additional security over using the same password everywhere. The entire point of using multiple passwords is to prevent a leak of one from compromising multiple accounts.

If I get your password to twitter, the first thing I'm going to do trying to hack you on Google is going to be to try permutations of your twitter password. It isn't going to take long to figure out that replacing t with g makes it work, in fact, it would probably be the first thing I tried before trying random permutations.

If you really want security, each password should be completely unique and unrelated to your other passwords. Alternately, you can go to the opposite extreme and setup as much as you can under oAuth. This ties everything to the same credentials, but also only offers one service that can be compromised to gain your password and also offers only one place to need to change them as soon as the compromise is detected. It still isn't quite as secure as having a bunch of completely unique passwords, but it is a heck of a lot more usable.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
3

My suggestion is, "don't." The scheme you've suggested is vulnerable to brute force attacks.

Instead, use a password database application that is ported to the devices you use, and can both generate complex passwords and auto-fill them for you.

W1T3H4T
  • 338
  • 1
  • 6
  • Depends on how his password is chosen as a target. If a DB is compromised that used good security practices for hashing the passwords, and his is just one of many upon which a crack is being attempted, this password scheme has more safety than most of them. If the compromised DB used poor security practices and his password is thus discovered, and someone decides to pick him out of a hat and try his password and variations at other sites, he is now vulnerable to brute forcing because of password similarity. – Jason Nov 06 '14 at 18:13
  • A secure password hashing scheme (e.g., Password-Based Key Derivation) cannot be broken in a reasonable amount of time. Unless, of course, one has access to the algorithm specifics. A common weakness of password databases is to encrypt the passwords with a seemingly secure algorithm (AES256 or better). At which point, a rainbow table can be generated even in the absence of the encryption key. – W1T3H4T Dec 19 '14 at 23:48
-1

As I disagree with the conclusion of most answers here I am going to break this problem down in a slightly different way. Let's consider a couple of breaches and examine what the effect of such a password scheme would be, however I am going to make one little change to your scheme (as your current scheme is simply too simple):

Eg if I remember tSaF4nWeACVkUU4 as a master password and use tSaF4nWeAtCVkUU4 (with a t in the middle) as my Twitter password and tSaF4nWeAgCVkUU4 (with a g in the middle) as my Google password.

Database hack

The user database is hacked and hashed password are compromised. The password has a high entropy, thus it will not be broken through brute force. Attacking other sites using this knowledge is also impossible.

Site hack

The plaintext version of the password is compromised. It now becomes possible to do a simple bruteforce with around 3 to 10 attempts realistically on another site before you're locked out. Using the proposed scheme this will quite definitely hold up even under relatively close scrutiny. I have recently been observing how many sites actually use time outs and account locks and it turns out that a lot of sites have neither. Without basic protections like that an attacker will be in the same situation as described below with a single plain text password and multiple hashed ones (though the rate of trying passwords against the hash is significantly lower through a web service).

Multiple site hacks

Now, this scheme only becomes seriously weak once an attacker is able to attack a number of different sites and then do a targeted attack against you. In this case he can explicitly look for differences in the password and thus figure out your scheme. A similar thing is possible if one of the hacks is merely a database hack, as he can then search for permutations first in a brute force attack against the hash... which in turn will likely lead to the discovery of your scheme.

Conclusion

In conclusion I think using a well designed scheme that requires at least 3 different password instances to be compromised is sufficient for a lot of uses. Only in case you're expecting an incredibly targeted attack will this start to become an issue. Of course, using completely different passwords is definitely safer, using completely different passwords and a password managers is slightly safer (depending on the password manager and the way you use it), but this has distinct advantages over having a password manager without mostly all pitfalls of having a fixed number of different passwords.

And to all of you who claim this is so simple, have a go at it (and this is even an extremely simple version with just two variables):

  • Plain text compromised password: Hsx3e8oHSTBT
     Site: PayPal
     Domain: paypal.com
     Company: Ebay
     Category: Finance
     Importance: High
  • Compromised hash: ab3ba457824c61f052d8cd5e777e518e6cd2ee63
     Site: Gmail
     Domain: gmail.com
     Company: Google
     Category: Mail?
     Importance: High?
  • Compromised hash: b20b284e7b255d7f8008bcf2a64ad74e0d210e5655539aa71a530939c51482f4  Site: Twitter
     Domain: twitter.com
     Company: Twitter
     Category: Social
     Importance: Medium

Now mind you, the above should be doable, after all, you just were able to hack three different sites and the scheme isn't that complex, but if you only have the first two you won't figure out the third in time before Twitter blocks you. If you have the first and the third you might figure out the second though, but that's why I still called this version weak. Either way, with all this information you know a million times more than any hacker would ever know... so as much as you guys are attacking this approach this should be a walk in the park.

Either way, the answer is Hsx3e8(first letter - 1)[HS](if high security)TBT , now imagine mixing in categories or more complex letter schemes or anything else you like. For example, instead of the above three have a look at the plain text versions: GOpwYjbm2vX, GOp24WYjBmvX, gOpWY12jbmvY (that's even more complex than my own scheme though :P )

David Mulder
  • 1,349
  • 1
  • 8
  • 16
  • 1
    Entropy is a property of a password generation process, not of a password. This password generation process you're proposing has not high entropy as you claim, but in fact almost no entropy at all. – Xander Nov 06 '14 at 19:48
  • 1
    @Xander: Absolutely wrong, information entropy says something about the amount of 'information' a 'message' contains. Yes, knowing all variations one could argue that *as a whole* the entropy is lower than *on it's own*, but even so, on it's own is what we're talking about. It has nothing nothing to do with the 'password generation process'. – David Mulder Nov 06 '14 at 19:54
  • [Calculating complex password entropy?](http://security.stackexchange.com/a/21051/12) – Xander Nov 06 '14 at 20:13
  • @Xander: Although he's trying to redefine the meaning of entropy in password world, the definitions say otherwise: http://en.wikipedia.org/wiki/Password_strength#Entropy_as_a_measure_of_password_strength (that was simply the first search result). Now his point is correct that the entropy added by a word is not equal to the sum of all the entropies of each individual character, because in the world they have certain tendencies to be together (as outlined in the wikipedia article as well), however entropy is a measure of password strength, which is a direct representation – David Mulder Nov 06 '14 at 20:24
  • of the amount of randomness in the password. Now, in this area it becomes more complex and Pornin is suggesting a solution where one looks at the process rather than the password, but that proposal is flawed exactly because of examples such as presented in this answer. – David Mulder Nov 06 '14 at 20:25
  • And @everybody, if you guys disagree, than attack this answer on the grounds of the actual concepts it's proposing. I know it goes against what is commonly taught in school, but if it truly is so ineffectual than explain me how this can be so easily attacked. – David Mulder Nov 06 '14 at 20:27
  • The Wikipedia article you link to actually says essentially exactly the same thing as Pornin. *"A password with, say, 42 bits of strength calculated in this way would be as strong as a string of 42 bits chosen randomly, say by a fair coin toss."* You do not have random bits. You have a bunch of static bits, and 8 bits (the single character that changes) that is chosen in a deterministic fashion, so not even that is random. – Xander Nov 06 '14 at 20:33
  • @Xander: How nice of you to be so selective in your quotes and leave out the next sentence *"Put another way, a password with 42 bits of strength would require 242 attempts to exhaust all possibilities during a brute force search."* And the thing to understand here is that these characters *have* been chosen randomly, only in the context of this password scheme as a whole can they be considered non random. And the idea of considering entropy an attribute of the process rather than the result is flawed because it is the result that's being attacked, not the finished process. – David Mulder Nov 06 '14 at 20:35
  • The shared string may have high entropy, but if it is known, then all the passwords are known, or very very close (with negligible entropy). Thus the “Site hack” section is wrong. 10 attempts is very little. If a site locks out an account after 10 failed attempts, it'll be extremely vulnerable to denial of service. – Gilles 'SO- stop being evil' Nov 06 '14 at 20:39
  • 4
    This is a weak system because it violates [Kerckhoffs's principle](https://en.wikipedia.org/wiki/Kerckhoffs's_principle) which says when the algorithm is known, the system should remain strong. This is not the case here, because the algorithm is extremely insecure. It combines a bunch of static data with a tiny amount of deterministic data. Whereas a random password must be brute forced *even if the algorithm* is known, if your suggested algorithm is known, it would take an average of approximately 1 attempt to guess any password generated this way. This is pure security through obscurity. – Xander Nov 06 '14 at 20:39
  • *"How nice of you to be so selective in your quotes and leave out the next sentence"* I left out the next sentence because it is irrelevant. – Xander Nov 06 '14 at 20:42
  • @Gilles: Nah, sites start with adding a timeout, then a longer timeout, and then they block either the IP or the user. – David Mulder Nov 06 '14 at 20:42
  • @Xander: And wow, applying principles in the wrong place is quite the nice act as well... Yes, that's definitely true for cryptography about which he was writing. It has nothing to do with passwords though, yes, knowing the process compromises the system, however the process in this case is the key. And yes, knowing the key will undo a cryptographic system as well. – David Mulder Nov 06 '14 at 20:44
  • @Xander: And it's not irrelevant because the sentence before that was there to get to the actual point what entropy defines... – David Mulder Nov 06 '14 at 20:45
  • 1
    @Xander, which is why we should always assume our algorithm of creating passwords is known. – Matthew Peters Nov 06 '14 at 21:22
-2

As other comments says, the main problem is the too close structure between different password.

A better solution would be to apply a hashing method to this "password + change" so that the result cant give back your main password.

That's the basic principle of http://passwordmaker.org/ :

  • You have a master password you only use to generate password (you never write it elsewhere), it must be a real tough password with lots of entropy and symbols (not only letters and numbers). Hard to remember, but you only have one like this to remember.
  • You have several salt systems: url of the website, login name, etc.
  • You choose the hashing algorithm to use.
  • You choose the number of character the generated password will have.
  • You choose the set of character to use for your password (some website do not allow specials characters).

The result is a random looking password that cannot give back you main password as there is too many salts to it.

The main drawback to this method is that it is very vulnerable to keyloggers if they record the whole sequence and that you use similar sequence for all your passwords (with only the website url changing).

As example, I'll keep the main password given: tSaF4nWeACVkUU4 (which I do not like as no special characters).

Then I write that is for use with "test.com" website, hashed with "HMA-SHA-256", with user name "test", with modifier "test", and a length of "10". Any change of one of these parameter will generate a completely new password (except for the length that only add or remove characters).

All this give me a new password: "FBaJZ+:1@N" that do not tell much about he main password.

If you do not have exactly all the same parameters, the hash algorithm should prevent to recover the missing ones.

I'm not a cryptographic expert, I may have misunderstood some aspects and I can make mistakes. All this message is what I understand, so not necessary truth.

Togh
  • 1
  • 1
  • 1
    if you are using a non-reversible hash function, why not just create completely new **random** passwords (which is essentially what you are doing with the hash just not in a random way). `random looking` is no substitute. – Matthew Peters Nov 06 '14 at 21:27
  • This in in the idea of having only one password to remember. It is an alternative to password bank and it is portable (you can access the html version from anywhere). I don't say it is cryptographically better than new real random passwords, just that this is a real improvement over the method of user288447 – Togh Nov 06 '14 at 21:34
  • 1
    First, make sure you review [hash functions](http://en.wikipedia.org/wiki/Hash_function) and [cryptographic hash functions](http://en.wikipedia.org/wiki/Cryptographic_hash_function) next, consider that if your method is not `cryptographically better` as you say (which it isnt), then why even bother. The fact is, even if you replace @user288447's t (for twitter) with [a super secure password](https://www.grc.com/passwords.htm) the concept would still be fundamentally flawed because it implements a **pattern**. see [here](https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html) – Matthew Peters Nov 06 '14 at 22:09
  • Maybe I did not describe clearly enough the way http://passwordmaker.org/ works. It may be better you to read the author's explanations (just follow the link) than give me some tips to correct my answer so it would be more understandable. – Togh Nov 06 '14 at 22:33
-7

Here is a framework I use (YMMV) that is based on the typical CISSP approach to passwords (something you know, something you are, something you have). I break my password structure down into these three topics with character substitution. Currently I never re-use password, my typical password is about 20 characters, and I can always recall them:

Substitutions: (very common)

s = $
e = 3
o = 0
a = @
i = 1

Something I am: (example)

human = hum@n

Something I have: (example I am logging into my gmail account)

gmail - gm@1l

Something I know

mytelephone_number_with_shift_key = @!@%%%!@!@

My password for gmail might be:

hum@n.gm@1l.@!@%%%!@!@

To where I can retain the something I know, something I am and change the something I have:

Something I have: (now logging into my bank)

bank = b@nk

This would be a breakdown:

hum@n.b@nk.@!@%%%!@!@ (bank password)
hum@n.gm@1l.@!@%%%!@!@ (gmail password)
hum@n.tw1tt3r.@!@%%%!@!@ (bank password)

This allows me to always maintain strong passwords, always remember them. Mind you, there is a threat that someone can figure out the structure via say keystroke logging, inference, it is still very strong in its design, easier to remember than generated nonsense. I fiddle along a structure like this and the way I see it, if anyone is attacking this methodology, then they are a highly strong adversary.

----- ADDED NOTE (edited)

Brute forcing most of my passwords don't work using oclhashcat, or John. Most are too long and would take months. I make it a point to change my password structure once every three months. Again, your mileage may vary, and I can see the responses/comments now: "All I need to do is figure out one thing" To which I respond: "if someone can figure out any of my passwords, a strong adversary they are. They DESERVE to break it"

munkeyoto
  • 8,682
  • 16
  • 31
  • 1
    This is a modest variation on the original poster's suggested scheme, and is not in fact strong at all. Because there are clear and obvious patterns in the password generation process here, there is very little entropy involved. Almost none, in fact, since the bits that change are also mostly deterministic. And your application of various authentication factors to passwords is...Well, not particularly helpful. A password is all "something you know." The other factors are not applicable. – Xander Nov 06 '14 at 16:24
  • 11
    I'm not even going to touch on how insecure this is but for all future impressionable readers please note that this is **not** what is meant by the CISSP [something you know, are, have authentication](http://www.cs.cornell.edu/courses/cs513/2005fa/nnlauthpeople.html). – Matthew Peters Nov 06 '14 at 16:25
  • Indeed to which I edited the note: "clear and obvious patterns" obvious to whom, someone would need to know how to even begin to attack the structure. You could try any variant of... of what? There is no rhyme or reason of where to begin an attack on this structure unless you cracked at minimum 2 of my passwords to see the pattern. Good luck cracking one of them – munkeyoto Nov 06 '14 at 16:26
  • This is exactly the type of variation in passwords that I was asking about. – user288447 Nov 06 '14 at 17:20
  • 2
    @user288447 Yes it is, and don't do this. For the reasons the other answers correctly state, it's a terrible and dangerous idea. – Xander Nov 06 '14 at 18:12
  • The flaw in this answer (beyond the misuse of the scheme idea) is that if you have one of the passwords in plaintext you can probably figure out the other answers within let's say 50 tries. – David Mulder Nov 06 '14 at 20:40