0

One of the greatest problems with passwords is having to remember different passwords for different sites. Some people use password managers, others use the password reset link every time they want to login.

I came up with this idea of remembering passwords and I want to know how secure is it. It consists of one common phrase and a suffix/prefix related to the website. For example, we can take a common phrase (for demonstration purposes only) like abcd124efg. Then a password for security stackexchange could be (taking the first and last letter of the site name) secabcd124efgnge.

The advantage of this is that you get a different password for each website while only having to remember one. Now, since the algorithm is known only to the user, it would be hard to know other passwords if someone has access to one of them.

How secure is this algorithm? Would it be used anytime in the future?

Anders
  • 65,052
  • 24
  • 180
  • 218
  • "How secure is this algorithm?" **not secure at all** "Would it be used anytime in the future?" **it's a well-known technique already in use by many many people** – Ben May 02 '16 at 14:54

3 Answers3

4

This reminds me of how Dan Kaminsky got hacked. He used to use passwords like:

fu*k.hackers
fu*k.mysql
fu*k.vps

So bad guys has revealed his pattern and the rest of the "job" was easy.

The lesson of the story is; stay away from this.

Mirsad
  • 10,075
  • 8
  • 33
  • 54
  • Heh, once the pattern is known, the password length is vastly reduced. Three letter passwords are really secure, eh? – Fiasco Labs Apr 30 '16 at 21:54
3

Password patterns are subject to the same fault: they are only secure if the pattern is unknown.

Worse still, in your pattern, it is subject to the site it is found on, making the pattern more obvious.

What happens if someone gets ahold of one of your passwords in clear-text? They can derive all the rest of your unique passwords.

Patterns can have their uses, but they have faults you need to account for.

schroeder
  • 125,553
  • 55
  • 289
  • 326
2

Your system is also known as the monthly updates of passwords where the last two positions of a password are change with the number of the month. It didn't work 20 years ago and it will not work in the future.

Computers are much better at generating random strings and/or telling remote systems that you are you. So getting a good password managers and identity service, both with 2FA, and you're set for now. Most people would benefit if they were forced into using Google authentication with a good password and 2FA for example, then with a password pattern. Also as sites get renamed or will get the same prefixes in the end.

Don't forget the benefit of a password manager / identity services that they have an overview of sites/services that are depending on your credentials/identity. In case of an emergency this may become handy.

hspaans
  • 336
  • 1
  • 5