41

Let's say I use a 5 word password composed of 4 words plus the name of the website I'm accessing. For example for GitHub, it would be something like "correct battery horse staple github".

How is that different to using a password manager with "correct battery horse staple github" as the master password?

I also have a simpler password for accounts I don't care about or that I suspect might be vulnerable. I assume that everyone but the major companies (Google, Facebook, GitHub, Apple) store passwords in plain text.

Am I at risk by using this approach?

Michael
  • 2,432
  • 2
  • 20
  • 37
None
  • 529
  • 4
  • 4
  • 42
    Simply put, any recognizable pattern is worse than random. – l0b0 Apr 26 '20 at 22:27
  • 7
    Having the pattern include the site name seems like an obvious weakness, and a big clue to a potential attacker that there is a pattern. – Peter Cordes Apr 26 '20 at 22:27
  • 1
    "slightly" is really the keyword in this question. Yes, obviously, that's only slightly better than using the exact same password everywhere. – Luc Apr 27 '20 at 09:19
  • 1
    _How is that different to using a password manager with "correct battery horse staple github" as the master password?_ If you mean not from an algorithmic point of view but from a practical risk point of view, the first difference that comes to my mind is that the likelihood that someone tries to hack Google, Facebook, GitHub, Apple login and makes guesses about your weak password is way greater than the likelihood that someone tries to hack your password manager. – SantiBailors Apr 27 '20 at 19:42
  • The problem is you would be able to remember those passwords. Any password you can remember is insecure. Like L0b0 says. – Harper - Reinstate Monica Apr 28 '20 at 18:35
  • I used to do this. Then one day I was creating an account on a site, and I realized that the site had no automated system for this yet, and it required me to send the username and password I wanted to use directly to the maintainer in an email. I realized that a human was going to look at my password, and it would be obvious to him based on that what my other passwords all were. I then realized that even on other sites, this was a potential problem, as I had no way to be sure how secure the site was in that sense. That's the day I switched to a password manager. – DarthFennec Apr 28 '20 at 23:21
  • Please stop spreading that XKCD meme, it's wrong https://steemit.com/steemstem/@procrastilearner/correct-horse-battery-staple-is-wrong – JohnEye Apr 29 '20 at 13:50
  • @JohnEye I disagree. Your link explains why using a random collection of characters is better than chbs, and that's true, but if you take that approach you need a password manager. xkcd assumes you aren't using one, and it compares chbs to taking a base word and modifying it, which is what most people do. chbs is much better than that alternative, for people who don't use password managers. So chbs is correct, but lastpass etc is even better. – DarthFennec Oct 06 '20 at 18:10

4 Answers4

89

Yes, decent password managers are more secure than using any password pattern.

  • You have a password manager, and it has created you random passwords:

    1. 6AKQ3)mcV!xX3b8-ZgncCe%tdn!&.@3X
    2. a6/4TFaWKrzTHQyT2Df#;/*+QA$zH2tJ
    3. 9y__&%7jP4UcuG(9f7X6z44C#64bF:m&
    4. 9W649r788_8AU=9272zuGH"=C?2&C66j
    5. nT29HMc$y'H)ww2#D/2x(2sBU#WG23us

  • Versus you have a pattern for your passwords:

    1. correctbatteryhorsestaplegithub
    2. correctbatteryhorsestaplestackexchange
    3. correctbatteryhorsestaplegooogle
    4. correctbatteryhorsestaplesomesite
    5. correctbatteryhorsestapleapple

The site #4 has a bad practice of saving passwords in plain text, and their password database leaks. Now, from the latter it's possible to assume that this is a password pattern you use and deduce you might have correctbatteryhorsestaplegithub as your password for GitHub etc., but from the random password it's impossible to deduce the other random passwords, as they are completely unrelated.

On the other hand, if your computer gets infected and someone steals both your password manager database and the password (e.g. using a keylogger), they have keys to the kingdom. That's a completely different risk model and requires access to the operating system the password manager is installed on. Against this you need other measures like multi-factor authentication.

Esa Jokinen
  • 16,725
  • 5
  • 51
  • 56
  • "requires local access" This isn't quite correct. There are software keyloggers that can be remotely installed onto computers. Physical keyloggers do exist, but they're rare and do require physical access. – Axel Persinger Apr 27 '20 at 12:04
  • @EsaJokinen I'd say that implies you need admin privileges to install a keylogger (I just double checked, you don't). I'd simply say "and requires the ability to install software onto the computer that the password manager is installed on." Hope that clears it up :) – Axel Persinger Apr 27 '20 at 12:19
  • @AxelPersinger: I think it's pretty clear already from the context. Also, a keylogger (software or hardware) alone isn't enough, as it only gives the master password, not the database; and you'd need both to steal the passwords. Also, a software able to log keystrokes and steal the database doesn't have to be installed; it's enough it's running with the privileges of the user or an admistrative account. Therefore, I feel a more broad term "access" covers the situation better than "ability to install software". But this discussion is too far from the original question anyway. – Esa Jokinen Apr 27 '20 at 12:46
  • 6
    Some password managers (like KeePass) allow you to have a composite authentication token using a key file and a password. In which case, you'd also need to steal the key in addition to the password and database. – Celos Apr 27 '20 at 13:09
  • Maybe not Google specifically, but using a Password manager I see that over the years I (and I assume I am not the exception) have created accounts on many, many sites. One of those might be a bad apple. – kutschkem Apr 27 '20 at 13:36
  • 1
    Does anyone have stats on how "often" (assuming not) any of these password managers have been hacked/exposed user data? To me that's the only possibility of it being less secure, and even with the thousands of passwords to many users EVERYTHING tantalizing hackers, I don't hear of these cases. JW – TCooper Apr 27 '20 at 18:10
  • 2
    This answer could be improved by saying why the risk in password managers is less severe than the risk in using a repeated password. One might assume that an attack on password managers would be easy to automate and is already being distributed via malware, but an attack on repeated patterns (such as using correcthorsebatterystapleg1ithub and ...s1tackexchange etc.) would require someone to manually look at the passwords. – JiK Apr 28 '20 at 11:09
  • You can indeed detect a pattern, but wouldn't that require a hacker to target you in particular? Otherwise who would spend time to detect patterns like this on a random password dump? I always assumed those dumps were used to send the same credentials to many services to see who reused the same password everywhere. – Métoule Apr 28 '20 at 13:51
  • @Moyli Virus "Petya" infected M.E.Doc software in 2017 via source code repository. https://en.wikipedia.org/wiki/Petya_(malware). Yeah, M.E.Doc is not Google, but there are such attack in a wild, and there is a term "internal threat" for the reason. – Alexander Fadeev Apr 28 '20 at 14:26
  • 1
    @Métoule: Well, it's not hard to `grep somesite` from the list and find users that uses the service name as part of their passwords, so it doesn't require spending time, but is rather easy to automate. For instance, the `rockyou.txt` contains `rockyou` 4070 times. – Esa Jokinen Apr 28 '20 at 14:27
10

Microsoft have done some interesting research into the idea you mention of having a weak password for sites that you don't care about, and conclude that it is a valid strategy.

However, I'd argue that one advantage of a password manager is that you do not have to expend any mental effort working out which sites you don't care about, and more importantly you can't make a mis-classification. If you're using a password manager, its the same number of clicks to have it paste in "password" as "District solid complete warlord cheese".

(By the way, I've found that it is better to use five random words than 30 random characters when generating passwords with my password manager. Sooner or later you will get into a situation where you have to type it into a computer that doesn't have the password manager agent installed.)

Graham Hill
  • 15,474
  • 37
  • 63
  • 1
    I tried to locate the paper, I recall hearing similar advice from MS or some other authoritative source. I think this might be it but MS has published quite a few papers on password strength and mangement - https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/tr-2007-64.pdf – Freiheit Apr 27 '20 at 17:05
  • This article is also in a similar vein. https://techcommunity.microsoft.com/t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984 . – Freiheit Apr 27 '20 at 17:06
  • 2
    Does 5 random words have the equivalent entropy of 30 random characters? – Jorge Leitao Apr 28 '20 at 03:36
  • 1
    @JorgeLeitao calculate the entropy of 30^52 (assuming upper and lower case) to 5^8000 (assuming 8000 words in a dictionary). The number of combinations are set of symbols ^ number of them which works out as:3e+51 v 2e+19. Entropy is log2 of these values. – gbjbaanb Apr 28 '20 at 18:13
  • @gbjbaanb shouldn't it be 52^30 ≙ 171 bit vs. 8000^5 ≙ 65 bit? – Scz Apr 28 '20 at 21:54
  • @Scz yes... i even wrote the words out right and got the numbers wrong, how daft! – gbjbaanb Apr 29 '20 at 10:44
  • 1
    @Freiheit the paper was at http://research.microsoft.com/apps/pubs/default.aspx?id=227130 – Graham Hill Apr 30 '20 at 12:04
4

Using a formulaic password generation method rather than random ones in a password manager changes your threat model.

With a password manager the main threat is that your master password will be discovered. For most people, working with a limited number of trusted devices, this is a low likelihood. However, if you are regularly required to login to a range of services from many different, potentially untrusted devices, (e.g. travelling and using internet cafes or as a field engineer) then you threat model can change significantly.

With a formulaic password generation mechanism your threat is that the formula is exposed. For a non-trivial formula, that's likely to require human intervention and/or multiple plaintext passwords being available. It is inherently weaker since the passwords can be cracked, but you're vulnerable to a different type of threat, which is likely a more targeted attack.

David258
  • 141
  • 3
  • 1
    This basically repeats the accepted answer. Did you intend to offer a unique perspective? – schroeder Apr 28 '20 at 12:56
  • To me it sounded different as the focus of the first answer was on the security of the passwords themselves rather than on the model of the threat, but reading back I can see the the model of the threat is mentioned in the last line. If you think that seems enough like a duplicate I'll happily delete this answer – David258 Apr 28 '20 at 13:05
-5

Password manager is software, and all software is potentially vulnerable, given relative effort. A password manager is also one-for-many, means someone may spent enough effort to steal information because the gains will be multiple from many users.

Human logic pattern is more safe in my opinion as long as it is not obvious. My standard password plus site name is still a pattern choice but a very poor one. Smarter choices will allow you for non-recognizable texts without reveal the pattern easily:

Socials:

  • github = bmyMagic&458_ghkg
  • exchange = emyMagic&458_ghke
  • gooogle = emyMagic&458_ghkg
  • facebook = kmyMagic&458_ghkf

Manysites:

  • arandomsite = 23@ar_goeasy
  • justasite = 23@ju_goeasy
  • somestoreibuystuff = 23@so_goeasy
  • apple = 23@ap_goeasy

Importants:

  • bank = gJc$k49k&ci4j65_4l@l@
  • financeforme = gJg$f49f&gi4j65_12l@l@

I separate logins to 3 categories, Low, medium and high risk (many sites, social and banks-emails).

For the medium risk, I used standard myMagic&458_ghk, then add the first letter of the site to the end and the last to the start.

For low risk, I use another standard the 23@_goeasy and add the first 2 letters after @.

For high risk I used the standard gJ$49&i4j65_l@l@. Then I take first and last letter of site and add one letter. So for bank I get b and k and make them c and l. Then I put those letters before and after $ and &; but for & I put last before and first after. Finally I add the length of the site name after _

Seems complicated but it is not really much if you get used to. Just keep a hard copy on a paper about your 'encryption'. Also make sure you clearly categorize your logins so to know what formula to use to each. You can also categorize differently, like split letters to 3 parts and choose category by 1st letter.

No matter what, you remember method and not password and if one password is compromised no other accounts are vulnerable, likely.

This way you can always 'remember' an unlimited number of different passwords and login anywhere after ... years! You can also create new accounts without have to invent a new password each time, or use a standard one to remember.

Plus your passwords are never stored anywhere into the your device, as you can select 'No' to all automatic password saves. This is very safe. This limits hacking to keystrokes or clipboard readers only.

Glorfindel
  • 2,263
  • 6
  • 19
  • 30
Stefanos Zilellis
  • 99
  • 13
    No, human logic is not safer. There is software specifically designed to guess passwords with such "patterns" - once _one_ of the passwords is known, the others are not safe any more. – averell Apr 27 '20 at 15:52
  • Now i am reading my answer i realize that this example formulas i used are far better than my actual ones which are somewhat ... 8 years old!!! – Stefanos Zilellis Apr 27 '20 at 15:52
  • averell there is, but where is he going to get the passwords from if they are not stored anywhere on the device? Getting from key loggers or clipboard loggers, how many can be collected? A good sample is needed to analyze patterns - and not only the possible password but the usage spot (the page) as well. So we talk for a large set of pages visited, keystrokes and clipboard data, all with date-times, and ... good luck. Imagine that just 1 mistake and the pattern algorithm will discover nothing good. As a programmer i found it easier to crack a software having all passwords from many people. – Stefanos Zilellis Apr 27 '20 at 16:03
  • 6
    The point is that you re-used most of your password. If I just get _one_ of them from a compromised site I can use that to brute-force permutations. If just _one_ becomes publicly know, it _will_ be used as a starting point for hackers that attack other hashed passwords. No keylogger or access to your system is even needed. And _if_ I bother to install a keylogger, it would take maybe two or three samples to figure out your whole "system" and then I have _all_ your passwords. – averell Apr 27 '20 at 16:34
  • Please, just get a password manager. Yes, it's potentially vulnerable, but far less vulnerable than any password scheme that you or I could think up. – pcdev Apr 28 '20 at 03:13
  • averell i believe you need 2 passwords in order to identify the standard and the modified part, and besides key and clipboard loggers the only thing left is fishing to get a password. But i think fishing is out of scope because with fishing you get a password regardless any option. I also believe that brute force is limited - most login mechanisms ban the username after repeated attempts that result an account lock and revive from the original user but surely not hack. – Stefanos Zilellis Apr 28 '20 at 10:30
  • pcdev no thanks you. In order to get a password you either fish it or use software to get it, or use brute force. Fishing is out of scope. Brute force is a dead technique. Are you aware how many attempts you need in average to force a 50 character password? The most viable hacking today is software that you install yourself and run with admin rights for a reason. And it is supposed to be something else like a crack or key generator or for managing free something downloading and so on. People get hacked because they install unknown software to their computers that suppose to do something else. – Stefanos Zilellis Apr 28 '20 at 10:59
  • As for loosing your password from security-poor sites, that is what i covered up using 3 categories. Low risk, medium risk and high risk. So chances are 99% that the average hacker that steals my password from somecheapsite.com which is fghjfgh will use that to enbter my web banking - but the password there is ekjvhfsdkjhskfvnsdfklgh - excluding device access limitations and mobile authentications for critical logins - just password pattern matching there is not just almost impossible, but handicapped. – Stefanos Zilellis Apr 28 '20 at 11:12