3

A friend of mine purposed a method of making passwords where each has the same base and added to it is something indirectly related to the site or product being signed into. For example all passwords would start with "AXxY2" and then the one for hotmail.com adds on "any letters?" so the entire password to login to hotmail.com would be "AXxY2any letters?". Is this a good system?

I personally never find reminders or hints useful with passwords so would it be better to use an unrelated unique part for each site? For example instead of having "any letters?" it would be something like "run skip bike climb".

Celeritas
  • 10,089
  • 22
  • 79
  • 144

2 Answers2

1

It all depends on how much security you need. The most secure case is to use very long, completely random passwords for every user, but practically speaking, that is also the least usable unless you use a password manager. If you want to maintain the strongest possible security then that is what you should do, but for many people, that level of security simply isn't necessary.

On the far opposite side from that, there is using the same, short, easy to remember password everywhere. This is super easy to use, but it isn't very secure because it can a) be guessed, b) if a user account is compromised in one place, even with the password properly protected, it will be fairly easy for the attacker to figure out what the password is and c) if it is used multiple places, there is a good chance that the attacker will then be able to access other accounts you have as well.

There are any number of hybrid ways you can work between these two extremes. You can have multiple passwords for different security levels (separating basic forum users and news sites from personal data sites from banking and financial sites). There can also be a system of making derived passwords that you can easily remember on some system, but hopefully the system isn't known by an attacker that might find one or two of your passwords, and thus a single compromise wouldn't impact your other accounts.

If there is a chance you may specifically be targeted, then this probably isn't a good idea since most systems you could come up with won't hold up very well against a determined and experienced attacker, but if you are just up against people trying to find accounts from a giant list, chances are pretty good even a simple system of differentiation of passwords will probably be sufficient to protect you.

Ultimately, it is up to you to decide what level of security you need and how much effort you are willing to go through to achieve that level of security.

AJ Henderson
  • 41,896
  • 5
  • 63
  • 110
  • I disagree with points b) and c) it is not known to an attack if the same password is used on different sites and what the login name may be – Celeritas Feb 16 '14 at 07:18
  • @Celeritas - it isn't known, but it is the first thing they will try. When user db's are cracked, they are often placed on the black market along with the user information and password details for any accounts they can figure out the passwords for. Attackers then use these lists to try and find other sites that those people have accounts on that use the same password. – AJ Henderson Feb 16 '14 at 07:51
  • "Attackers then use these lists to try and find other sites that those people have accounts on" right but this wouldn't be known. If cracked db for `xyz.com` has been put on the market and a hacker is trying to get into `abc.com` even if the same individual used the same password on `abc.com` as they did on `xyz.com` the attack wouldn't know the username. Or is your scenario supposing they did? Even so it wouldn't be known which sites the individual used the same password/username on. – Celeritas Feb 16 '14 at 09:36
  • This conversation doesn't really pertain to original question so I opened a [new one here](http://security.stackexchange.com/questions/51616/is-it-bad-practice-to-use-the-same-password-on-different-sites) – Celeritas Feb 16 '14 at 09:46
0

Password re-use, which is what I believe you are referring to, is generally viewed as a bad idea.
I use the BASE+Differentiator method, and perhaps an explanation of my reasoning will help.

Cryptographically, there is some benefit from using a BASE+Differentiator.

Some implementations (which is to say some Applications, Web Sites, etc.) will use a randomly generated salt that is then added to your password/passphrase. The encryption algorithm then produces a one-way hash of your password. That salt is then stored, in their database, with your encrypted password (the hashed value) in order to be able to compare your password each time you attempt to log in. (The salt is again added to your passphrase, the encryption algorithm is run, and the hashed result is compared with what they have stored in your password field). Thus, if someone were to retrieve your hashed password, that hash value would likely be different from site to site, application to application.

Example would be:

Algorithm: DES3
    Salt: 123
    Passphrase: password
    Resultant Hash: hPh7gd6nmpg=  <-This is stored as your password

Using the same passphrase, same algorithm (DES3) with a different salt value:

Algorithm: DES3
    Salt: 456  <-Different Salt
    Passphrase: password  <-Same passphrase
    Resultant Hash: PLhThYNi2FE=  <-Different result

There are hashing implementations that do not use a salt, and will produce the same hash value for the same character sequence.

It is important to note that these are one-way Hashing algorithms, so your password cannot be retrieved (easily) from the Hash value. The only purpose it serves is to compare the Hash with a hash generated from the character sequence you typed into the password field. Thus if a site changes algorithms, you will not be able to log in, as your passphrase will generate a different Hash value using a different algorithm, in which case you would have to have your password reset in their system.

Having said that, my reasoning for using a BASE+Differentiator is simple. If someone were to get my plaintext password for Site A (let's say Hotmail), and were to know that I also have a GMail account, or Twitter account, or any number of other accounts (worse... an E-Trade account, etc.), the first thing they will do before trying to perform a computationally expensive brute-force attack, would be to use the password that they already know I use, as it is a reasonable guess that, in an attempt to make life simpler, I re-use passwords.

the BASE+Differentiator method adds a layer of security for the following reason: If they don't know that I use this method, there is a good chance that they will, at best, lock out any other account that they attempt to use that password on. Being unsuccessful with a known password is enough deterrent, usually, to make them resort to a more time and/or computationally expensive attack vector, like social engineering or brute-forcing it... or even better, abandon it altogether.

Usually, more effort into gaining access to other accounts is motivated by something most of us (normal) people have less of than we think (money, trade-secret information, etc.). In that case (suppose you ARE the one with the formula to Coke-a-Cola), then this added layer of security is enough to slow them down, perhaps long enough for you to realize that someone is attempting to gain access to your information.

To sum up, it is ALWAYS a bad idea to re-use passwords, and knowing that it is difficult to remember a dozen or so passwords (unless you use something like 1Password), BASE+Differentiator is a good, common-sense method.

To make things simple, the Differentiator can be a simple algorithm like:

1. The 2nd letter from the beginning and 2nd letter from the end of the site name
  Eg., Hotmail would be BASE+oi
2. The Stock Ticker of the site you are logging into
  Eg., Hotmail would be BASE+MSFT (Microsoft)

I hope this is helpful.

Chad Kemp
  • 1
  • 1