0

It is clear to me that using the same password for different websites is a bad idea because if an attacker manages to get a hold of your password, then he can gain access to the other websites in which you are using the same password.

However, I was wondering if it would be safe to have the same base string in all passwords, then append more characters to the end which would make the password unique. For example, if I have the base string "p@ssw0rd" then on one website I would use the password "p@ssw0rdstring1" and on a different website I would use the password "p@ssw0rdstring2".

Is this method safe? if not, why? and which attacks is this method vulnerable to?

yubuntu
  • 11
  • 2

2 Answers2

4

The biggest issue is that, if two of your passwords leak, an attacker will be able to find a pattern within your passwords. This would allow him to generate a dictionary attack by applying the found logic to other recovered hashes to try and find your other passwords.

p@ssw0rdstring1 and p@ssw0rdstring2 only differ one character. This means that an attacker can easily guess you will probably also have used p@ssw0rdstring3 or p@ssw0rdstring4. While you can use a password base to increase the length of your password it will not increase security if an attacker knows you are always using this prefix.

While you are not specifying how you will choose the rest of your password, I must insist not to use anything which is site specific. So what comes after your password base should be completely random. If it's random you should remember it per website, which means that per website you need to remember a password, so why not remember something random completely without using a base?

If you have difficulties remembering passwords you should try to use a password manager like KeePass or Passwordsafe. Passwords managers allow you to choose different passwords per website. These passwords are protected by a single keyfile and/or password. Choosing a unique password, which you do not repeat, is of the essence here.

Lucas Kauffman
  • 54,229
  • 17
  • 113
  • 196
  • 1
    +1. But even with only **1** decrypted password, the attacker could feed that to the brute force engines so that the engine first tries any combination of any subset of that decrypted password. It would mean many more combination to try than if the attacker had 2 decrypted passwords, but still it would still greatly reduce the possibilities to try (or put them in "front" of the tried combinations, allowing to gain time if it turns out you re-used some characters) – Olivier Dulac Dec 27 '13 at 10:31
1

In the strictest sense, yes you are giving the attacker more clues, and more information is always more valuable than less.

In practice, the notion of an attacker either obtaining multiple plaintext passwords for the same user, or gaining much of anything from solid (long, letters+nums+symbols) base password, is fairly arcane.

blah44
  • 141
  • 5
  • Gaining multiple passwords for a single user is easier than you might think. See https://haveibeenpwned.com/ – Ladadadada Dec 27 '13 at 12:00