3

Been wanting to transition to a password manager for a while. I have done my reading and research, so I know all the benefits of using a password manager instead of using the same 3 passwords across all sites. One thing that still scares me is "putting all my eggs in one basket". However unlikely, if my password vault is compromised, then essentially all of my accounts are hacked. The probability of that is small (LastPass got hacked, and the attacker brute force opened my vault), but the impact is huge. This has been the main reason holding me back from using a password manager.

What if I used a password manager in conjunction with a password that is only in my head. So the actual password for my account is 2 parts, first from password manager, second coming from my head, concatenated together. The second part would be something that is common to all accounts, but not written down/stored anywhere.

the only downside I can see is that password autofill will not work, but the full password to my accounts are never stored anywhere.

Is this a better scheme? I get the benefit of complex password without reuse, and even a cracked password vault won't reveal my actual passwords.

Jack W
  • 31
  • 1

3 Answers3

2

Your scheme feels inconvenient to the point that IMO is not worth the trouble I would subject myself.

I trust password managers enough (LastPass) to protect passwords. All the data they store in the cloud is encrypted - it is only ever decrypted locally on your browser.

If anything I would worry about the bigger problem that not all websites follow best practices for password management/hashing, so having just the password, no matter how well guarded, is not enough.

My recommendation is let the password manager take care of the passwords, but make sure to enable second factor authentication (2FA) for important sites.

If a site does not support 2FA of some sort, I would hope it is not an important site... make sure it doesn't store credit card or sensitive information about you.

HTKLee
  • 1,812
  • 15
  • 30
1

Certain password managers (i.e. KeePass) allow you to authenticate using a combination of master password and a key file (which you can keep on a USB) which is basically an alternate version of 2FA.
This method is completely offline since the password file is stored on your disk. If you do not trust 3rd party storage of your password file (such as an online app like LastPass) you can opt for this.

jonna_983
  • 94
  • 6
0

If you are worried about automated attacks (e.g. a large scale breach, with bots trying to log in to loads of different accounts) this may be a sound strategy. Just adding a single letter to all passwords would stop a dumb bot, and if you are uninteresting enough noone might bother investigating why it doesn't work. Personally, I would find it to be to inconvenient but that is more of a personal preference.

On the other hand, if you are worried against a targeted attack I am not so convinced that this is a good idea. You can assume at least one of your passwords will be leaked, so an attacker could figure out your pattern. Changing all passwords every time one is leaked quickly becomes unfeasible.

So instead, maybe you should just take the extra bit password you have to memorize and append it to your master password. That could stop your vault from being breached in the first place!

Anders
  • 65,052
  • 24
  • 180
  • 218