Patterned password, based on site name

Question

I'm considering implementing a pattern for my passwords, using the following ideas:

1. Master password that I store nowhere
2. An algorithm to mangle it based on the site I am accessing

So for example I have master password M, I go to website PayPal (P) and run some relatively simple algorithm in my head A(M, P) that produces password for PayPal. Algorithm is consistent but for different sites it produces different results.

Pros:

1. Stealing 1 or 2 passwords doesn't expose me to further risk.
2. I don't need any storage or password management apps.
3. Keylogger can steal only limited amount of passwords.
4. Since I don't need storage I can't really lose my passwords.

Cons:

1. If my algorithm somehow leaks the master password can be recovered from few known passwords.
2. It makes entering passwords harder. I can write small app for my phone for that though. Still generating site password might be problematic in certain situations.
3. Changing passwords is a problem as well, but this can be added by adding 3rd param - version A(M, P, V) and I can store just version. Or save it in password hint.

Is it good idea?

Answer 1

Since the question has been edited to no longer reference "Two Factor Authentication", I will re-vamp my answer, but I'll leave the original below.

---

The idea of having a "base password" that you either append a few chars to, or "mangle" in some way to make it unique for each site is a fairly common trick that even some security experts use (until they adopt password managers at least).

So how secure is this scheme? Well, it's better than using the same password for everything, and worse than using completely different and unrelated passwords. Exactly where it falls on this line is a matter of opinion (which I'm sure other answers will provide).

My opinion is that it doesn't matter where it is on the line because you're either worried about people analyzing your leaked passwords for patterns, or you're not. The way I see it, there are two types of attacks (or "threat models") to worry about:

1. A "drive-by" dictionary attack by a mass cracking tool using stock dictionaries. They are usually looking to pick off the 40% of users with weak passwords - who re-use the same password from site to site, and then they'll move on to a new password leak.

2. You are being personally targeted - human time and computational power will be spent analyzing your previous leaked passwords looking for a pattern.

If you're only worried about 1) then you may be able to get away with a very simple mangling rule to get your password away from standard rules in off-the-shelf dictionary-based cracking tools. Even here, you're hoping that your "trick" is not popular enough that any hackers out there have added it to their rule sets. If you're worried about 2) then any sort of pattern whatsoever will eventually be figured out.

At the end of the day, "is it secure enough?" depends on your risk management and the importance of the thing you're protecting: very roughly speaking, if (probability of breach) X (value of data lost) > (level of security) then you should increase your security. If you're concerned enough about your passwords to write up a post on a site like this (and good for you!) then you should consider just using a password manager like LastPass or KeePass - they really are easy (unless you forget your super-strong master password and abandon the whole thing like I did).

---

Original answer:

First, some terminology:

It turns out that there's a little bit more to Two Factor Authentication than you might think on the surface. Generally speaking, there are three types of authentication mechanisms:

1. Something you know - information, like a password, or your mother's maiden name, or a public key stored in a key file.

2. Something you have - usually a physical object like the phone that can receive SMS at your number, or a One-Time-Password (OTP) token or public-key enabled smart card / USB stick:

3. Something you are: aka "biometric" like fingerprints, iris, voice, typing rhythm, etc.

The reason for splitting auth methods into these categories is that each one requires a very different kind of theft in order for a hacker to acquire it.

If you are required to provide a proof of identity from more than one of the above catogories, then it is properly "Two Factor Authentication", or "Multi-Factor Authentication". If you are providing multiple items from the same category, then it's called "Multi-Step Authentication", which is obviously weaker than multi-factor.

Now for your question:

So what you are proposing is not Multi-Factor. It's not even Multi-Step because at the end of it all, you're only providing one password to the login page.

Answer 2

This paper suggests that your approach of reusing variants based on a single master password is indeed better than just duplicating passwords. However, as techraf mentions, if you use a simple algorithm, the security benefits may be trivial.

For instance, a common simple algorithm for A is to use a susbet of the domain name in your password (e.g. abcd1234gmail for gmail.com and abcd1234facebook for facebook.com).

Assuming that the algorithm is something that you want to be able to do in your head, what you really want A to accomplish is to give you good diffusion, so that your generated passwords don't share common substrings. This, combined with a fairly long and complex master password, should give you obscure enough variants, so that even if a few passwords are leaked, they look sufficiently different and do not assist password-cracking tools. Pretty soon, I do envisage more studies comparing passwords for the same users across multiple breaches to find out how passwords are commonly varied.

One recommendation I do have is to use a different master password for your most important accounts (just in case). At the end of the day, this is undoubtedly security through obscurity, but isn't that what password selection is all about?

What would truly be valuable is a good way of generating a family of different algorithms {A}, which can be easily computed in your head? Otherwise, you can use a simple program to generate your password using something like hash(master+domain+salt).

Answer 3

You rely on secrecy and complexity of your algorithm. This is a typical example of security through obscurity:

reliance on the secrecy of the design or implementation as the main method of providing security

So you need to take into account its caveats.

It is a good idea as long as you:

• keep it really secret

  Instead of a secret password, you use a secret algorithm. As it stays in your head, you can assume its secrecy to a certain degree (although this very question already revealed the fact that you might be using one).

  Moving the algorithm outside your head (coding in an app) breaks this condition.

• don't use too often

  Technically it boils down to encrypting site's URL (cleartext) with:

  • a secret algorithm (simple enough to perform calculations in your head)
  • a fixed password (reused key)

  That doesn't sound secure for encryption and given enough samples it is prone to cryptanalysis.

  But in case of passwords to websites, samples would be rather scarce and on top of that would have to come from a number of compromised sources. It would rather be difficult.

• make the outcome really random

  Generally if you use a "relatively simple algorithm" you get relatively weak security. Your original algorithm might not be that original and an experienced cryptanalyst might reverse-engineer it even from small number of samples.

  There's a room for improvement here: if you combine your "in-head" algorithm, use it as an input to a hash/key-derivation function and use its output as the password you enter, it drastically increases the security of the scheme.

  However being still in the realm of security through obscurity: what and how you do it must remain undisclosed and even unhinted.

Answer 4

I would argue this is a good security measure that will noticably increase your general security. The reason I say this is because of the typical threat model of stolen passwords. If you are worried about typical hackers/password dumps, they are unlikely to spend the time and effort trying to reverse engineer your password algorithm, when they could be checking the millions of other passwords they have gotten, or trying to hack in to get more.

Essentially, as long as your passwords differ even slightly site to site, you blend in with the people who have password managers. Notably, if you're worried someone is going to try to hack you specifically, this no longer applies, and they'll notice patterns and similarities between passwords they've collected from multiple dumps. It is very difficult, indeed near impossible, to come up with an algorithm you can do in your head that cannot be reversed via a computer from the results.

Answer 5

This isn't two factor authentication, it's just one: something you know.

2FA isn't valuable because of the algorithm used to generate the token. It's valuable because that algorithm generates a value which can only be generated by a particular object.

Therefore being able to supply that 2FA token proves you are in possession of that object; in other words: something you have.

Maybe your scheme has security merits, but not because it proxies the secure properties of 2FA. For one it seems like an attacker could steal your password once via phishing and continue logging into that site forever.

Answer 6

What you've done is incorporated a scrambling algorithm as part of your overall secret. But scrambling algorithms are not necessarily strong encryption. They're more like puzzles, and they can usually be solved by a dedicated attacker given enough skill, samples, and motivation. (For many examples of people who solve these kinds of problems just for fun, check out puzzles.stackexchange.com.) This leaves all your passwords vulnerable to the weakest sites you visit, not the strongest banking sites.

Example

Let's first assume there are attackers who have the skills. Imagine an unemployed mathematician and puzzle solver, living in a country that's in turmoil, no job prospects, and nothing better to do. Next, let's give him some motivation to attack you - the attacker learns through a boast on facebook that you've got enough money in your retirement account to buy two Lamborghinis. And right now, with this question, you've just told him you use an algorithm to derive all your passwords. He looks up more information about you by following #SOreadytohelp on Twitter. He finds you work at Metacortex, and a bit more googling reveals that Metacortex hosts employee retirement accounts at retirementfundservices.com. So now the only thing standing in the thief's way of your millions is acquiring enough samples to break your algorithm.

I don't know your particular algorithm, but anything simple enough to keep in your head and apply quickly to derive a password is likely not going to survive our attacker if he has three samples; and he'd like a fourth to test his theory. More samples will obviously help him solve the puzzle quicker, with more confidence.

The number of samples needed to crack your algorithm is very important to your security, because your personal security now depends on the total security of all the sites where you use this algorithm, including the weakest of them. But unless you're also a mathematician and puzzle solver, you won't personally know what that number really is. Is it three? Five? If you personally need 20 samples to figure it out, that doesn't guarantee all attackers also need 20 samples to reverse engineer your algorithm - there are many clever people out there.

Assuming the attacker needs only four samples, that means he only has to break into the four weakest sites you visit. Or let's say you previously registered with Adobe, Sony, and Xbox, and those passwords all ended up in pastebin. Now he needs only one more sample. (Let's hope you didn't also sign up on Ashley Madison.) Perhaps the attacker googles you further and discovers you like breeding rabbits as a hobby, and he finds your accounts on rabbit-breeder.org and hobby-rabbit-breeding.com. You can't blame them for not being high security sites, because they have no reason to think they're protecting anything serious like bank accounts. He attacks the first, but they don't have any easy vulnerabilities. He attacks the second with some simple SQL injection, and recovers your password.

Once enough samples have been stolen, the attacker performs the analysis offline, providing no external evidence of success or failure. You simply wake up one morning, check your retirement balance, and discover your money's been transferred to an offshore bank.

Alternatives

You've already considered a purpose built password manager, which is still the best recommendation you're likely to receive.

Consider a hardware tool, like Yubikey or Mooltipass; something you can carry, and that syncs with your online password manager.

You can also successfully use your proposed system by segregating your risk into categories. Low risk sites, like rabbit-breeder.com, get one master password. Medium risk sites, anywhere you use a credit card, get a different master password. High risk sites, anywhere you have banking access, each get their own unique 15+ character password. So now you have to remember only a few passwords, still have good security, and don't need a cumbersome tool.

Answer 7

As I used to use a scheme of this type, I will provide two practical reason to not to use this scheme that I don't see addressed elsewhere.

This scheme will fail if the site you are doing business with changes its name or otherwise gets bought by another company and takes its name. If it is a site you don't visit frequently you might not even realize why your password suddenly does not work.

The second reason to not use this scheme is that every site employs a different criteria for validating passwords.

• The minimum and maximum length allowed for a password
• Whether or not a numeric character is required in the password
• Whether or not a special character is required in the password
• Whether both uppercase and lowercase characters are required
• Whether only uppercase and lowercase characters are required
• Whether non-numeric characters are even allowed (I hate sites that only allow numerics!)
• What special characters are actually allowed

Even if your scheme can somehow deal with all these variations, there is also the question of how to remember which variation a particular site uses. Usually the site will tell you the requirements when you are creating the password but I don't recall ever seeing one that tells you when you are trying to enter your password.

Answer 8

I'm going to be generous, and assume you can create a secure mangling algorithm which you can do in your head to meet your purposes, which can resist being figured out by a dedicated cracker with good hardware. I sincerely doubt this, but for the sake of argument I'll let it be, and focus on the usability of your scheme.

I've answered a similar question before where my main concern that changing the password becomes prohibitive, because you must change every password, but you already thought of that by remembering a version number for each site, which your mangling algorithm takes into account. Again, I'll assume this is done securely, and isn't just a rolling counter or something, for the sake of argument. So now you have one shared master password to remember, one master algorithm to remember, a username to remember for each site, and a version number for each site.

But some sites have conflicting length requirements for their password. I use some sites with a minimum of 10 character passwords. I use a couple others with a maximum of 8 characters. So your algorithm will need to generate a variable length; you need to remember another piece of information for each site now, the length to input into your algorithm.

More conflicts can exist. Does the site require special characters, or prohibit them? What does the site consider a special character at all? That's another 2 pieces of information to remember for each site. Assuming you have around 100 sites that have a password, now we have:

• One master password
• One master algorithm
• Around 100 version numbers
• Around 100 lengths
• Around 100 "require special characters" yes/no inputs
• Around 100 "allowed characters" inputs
• Between 1 and 100 usernames

That's 400-500 pieces of information to remember.

Plus, if you ever need to change your master password, or your algorithm (because somebody figured it out somehow, or you accidentally wrote it down and lost it or something) you're still in the situation of being forced to change every single password and remember a new version number for each.

My guess is, you'll start to write these down, or save them in a file. Now you might as well use a password manager.

Using a password manager, you have one piece of information to remember: your master password for your password manager.

If you do things right, you won't lose your password database. For local managers, it's easy to back up one file to multiple locations, and it's strongly encrypted, so you could even upload it to a cloud. For cloud managers, it's already backed up without you doing anything.

If you're worried about access to the database, consider that most popular password managers have apps to use them on most smartphones.

Heck, you could even use the "remember password" feature of Chrome or Firefox, with a master password if you don't want to deal with installing anything. But I think you're making things way to complicated to avoid using something that will make your life easier and more secure.