3

I've heard that its a bad idea to create passwords based on a common form such as random letters appended with the start of a websites domain name. So for example a password to gmail might be something like 8*dfJK3!%kgmail and a password to facebook would be 8*dfJK3!%kfacebook and so on. Why this considered a bad idea?

mercurial
  • 918
  • 1
  • 9
  • 17
  • 2
    Because if only one site didn't do anything to secure your password, and it's exposed, your system is really easy to figure out and can be used to potentially login to many more sites. –  Nov 23 '15 at 08:02

2 Answers2

4

Reusing passwords across multiple sites is very problematic as a password exposure on one site leads to a password exposure on all of your accounts that used the same password. What you are proposing seems better than using a static password across multiple sites, but it is still rather predictable. If someone discovers one of your passwords they can likely guess many of your other passwords. No matter how careful you are with your passwords, they will be discovered. Sites get hacked and password lists are published.

The only way to ensure password safety is to use unique random passwords that have a provably large entropy (a measure of randomness). This answer discusses randomness as related to password generation.

Community
  • 1
Neil Smithline
  • 14,702
  • 4
  • 38
  • 55
  • To take that one step further: Passwords don't _need_ to be random, but they do need to _appear_ random to an observer. Anything that is obviously generated limits the entropy of a password. In the question, there's a universal password and then a site name. An attacker with your gmail password will likely guess your facebook password in a single try. Consider something like [SuperGenPass](https://chriszarate.github.io/supergenpass/) if you want to use a universal password securely. – Adam Katz Nov 24 '15 at 20:32
  • I think that tools like SuoerGenPass are not widely accepted @AdamKatz. For example, what do you do if you need to update a password for a site? There's no way to get a second one out of SuoerGenPass. – Neil Smithline Nov 24 '15 at 20:47
  • Sure there is. Increment your master password. – Adam Katz Nov 24 '15 at 22:28
  • But what about all the sites that you didn't update your password? You'll need to keep track of which sites uses which password? Unpleasant. – Neil Smithline Nov 25 '15 at 03:31
0

Because it's easily predictable. There was a study done on organizations that enforced a password policy which required every password to contain at least 1 symbol and 1 digit. The results of the study concluded that passwords of the form 

<phrase><symbol><digit>

e.g. Example@1

were very prevalent. A malicious attacker can use this to his/her advantage when cracking passwords, drastically increasing the success rate of finding a match.

Hello
  • 163
  • 5