5

Let's say you were to add a couple of extra characters to your password, unique to each site you visit. The password would be largely similar except for a few characters of salt, possibly taken from the site's url, name, etc.

Would this improve security? And if so, is it a viable alternative to password managers?

techraf
  • 9,149
  • 11
  • 44
  • 62
William
  • 159
  • 5
  • 4
    It depends entirely on what your salt pattern is, as a simple one would be identifiable by an attacker. The whole premise is broken though - use a password manager with random passwords for every site! – Polynomial Jun 02 '16 at 12:45
  • This is a *very* commonly used idea, adds very little security, and has [usability issues](http://security.stackexchange.com/a/115407/93625) compared to just using a password manager. Truly unique passwords are so important, I'd recommend just having your browser remember your randomly generated passwords before I recommended this scheme, but I'd personally take it a step further and just say "use a password manager, already." – Ben Jun 02 '16 at 15:07
  • In general, [passwords should not be similar across sites](http://security.stackexchange.com/q/56328/93625). – Ben Jun 02 '16 at 15:14
  • I would use completely unique passwords and keep them physically somewhere. If it's on your computer, it's possible to get. Write it down and put it somewhere safe. – Rogue Jun 02 '16 at 15:58
  • It would be great if downvoters could suggest fixes to the question or clarify the reason they are downvoting. This way the question be improved for people seeing it in the future. – William Jun 03 '16 at 10:35

3 Answers3

3

What you are talking about is not a salt, it's just a pattern, and one that is highly predictable. Say, for example that your password on Amazon is p@ssw0rd123amazon and your password on Google is p@ssw0rd123google and your password on some small e-commerce site is p@ssw0rd123*sitename*.

If someone hacks the e-commerce site and posts all the passwords on the internet they are out there for anyone to see. It wouldn't take a genius to recognize your pattern and figure out the password you are using for Amazon and Google as well.

Password patterns never work out that well and not as secure as you'd think. You are better off getting a password manager to generate strong passwords and save them for you, then you don't even have to think about your passwords.

Mark Burnett
  • 2,810
  • 13
  • 16
2

It's a good idea, as it gives a different password for each site. I wouldn't make the unique part too obvious. In the event one password gets leaked, someone could guess the others. So don't do "passwordSITEname" for example. If it gets leaked, an attacker will try "passwordNEWSITEname".

I'm a fan of password managers, and think they should be used by everyone.

Stephen Spencer
  • 1,042
  • 8
  • 8
1

To analyze this we need to think carefully about various scenarios that stipulate what knowledge the attacker has, and then reason about what other information they can deduce.

Mark Burnett's answer already provides us with one such scenario: if the attacker acquires your password from one of the sites, then they know all but two characters of your password in the others (taking your suggestion of using "a couple" salt characters literally), and thus can easily guess the others. Since the point of using different passwords in different sites is to protect you against an attacker who learns your password in one site, this pretty much shoots your proposal down already, I'd say.

Here's a second scenario: the attacker doesn't know any of your passwords, but they know that you might construct them according to the rule you've described, which I'll spell out like this:

  1. Construct a shared, master password according to some general rule;
  2. Construct a variant sub-password for each site by appending a two-character salt.

If the attacker knows that you create your passwords like this, then strategies for guessing #1 adapt very easily for guessing #2, because the two-character salt barely adds any entropy to the master password.

Third scenario: an attacker who doesn't know any of your passwords, nor know or guess that you construct them according to this procedure. Then I'd say that whether it's effective depends on what strategy they use to guess passwords. You'd have to know or guess their password guessing strategy, which you don't. But then have no reason to believe your password scheme will be any more or less secure than an alternative.

The only virtue I can see to this, then, is that it makes your passwords easier to remember. But I think the first scenario shoots the whole approach down, period. And the sad fact is that things that make passwords easier to remember generally make them easier to guess as well.

Luis Casillas
  • 10,361
  • 2
  • 28
  • 42