0

I am wondering about the security of adding a letter in front of a long passphrase to help me have different passphrases for each site I use while not requiring me to remember several different N word sentences.

E.g., if my phrase is the classic "correcthorsebatterystaple", would it be ill-advised to add, say, "f" for facebook, "g" for gmail etc.? I could imagine it both adding one extra character of complexity to the phrase (good), but if inspected by a human, that pattern may be obvious (bad).

Kaspar H
  • 3
  • 1
  • 2
    Possible duplicate of [Patterned password, based on site name](https://security.stackexchange.com/questions/124969/patterned-password-based-on-site-name). Related: [Is there a method of generating site-specific passwords which can be executed in my own head?](https://security.stackexchange.com/questions/1222/is-there-a-method-of-generating-site-specific-passwords-which-can-be-executed-i). – Steffen Ullrich Jul 29 '19 at 12:13

1 Answers1

1

This is a bad idea.

You need your passwords to be unique. Re-using 95% of a previous password doesn't respect this rule, so you should really avoid it.

If an attacker manages to get access to one database with cleartext passwords, he will most likely understand how your password was generated, and will be able to guess all your other passwords.

You should use a password manager instead, they will generate random & unique passwords for you.

Benoit Esnard
  • 13,979
  • 7
  • 65
  • 65
  • 1
    That's what I suspected. I always thought PW managers were scary due to storing all PWs in one place, but I have read more and more about them lately, so I guess its common practice now? – Kaspar H Jul 29 '19 at 12:16
  • 2
    @KasparH pretty much everyone aggrees on the practice of password managers – yeah_well Jul 29 '19 at 12:34
  • @KasparH There is a huge difference between online and offline password managers. An offline password manager, protected by a good KDF and a good master passphrase (or diceware, or a YubiKey) is better than any "rememberable" password. –  Jul 29 '19 at 12:58