1

It seems to be generally accepted the same password should not be used for different sites or devices. How different should passwords be? For example +_^gum<JW1 and +_^gum<JW2 are very similar. Does it matter what the passwords are used for, for example having two e-mail accounts with similar passwords may be poor security but would having an e-mail account and encrypted USB device with similar passwords be better? What if two or more passwords follow a pattern or relation? For example applesorangesbannansand pottatoescarrotsturnips

I have read that all passwords should be random. This is ideal but not feasible.

  1. It is most difficult to remember and password managers may not be a viable option (for example password to memory stick you carry with you).
  2. It has been stated that computers should not be used to create random passwords.
  3. Some devices it's very hard to type long complex passwords in, such as smartphones.
Community
  • 1
Celeritas
  • 10,089
  • 22
  • 79
  • 144
  • 1
    If you're using password1, you should change it to password2... It's amazing how common the use of password1 is... Seriously, the change must be such that it can't be guessed by people who know you. And 2-3 characters is not a password change, in reality, humans have a bad habit of creating patterns and a little knowledge about them shows their habitual patterns. – Fiasco Labs Dec 16 '15 at 07:39
  • `+_^gum – dan Dec 16 '15 at 07:48

4 Answers4

9

I have red that all passwords should be random. This is ideal but not feasible.

Why not?

1)It is most difficult to remember and password managers may not be a viable option (for example password to memory stick you carry with you).

Why isn't it feasible? I do it all the time.

2)It has been stated that computers should not be used to create random passwords.

Where is this stated? This is blatantly false.

3)Some devices it's very hard to type long complex passwords in, such as smartphones.

Smartphones have password manager apps as well. They allow you to copy and paste passwords stored in them.

  • 1) You remember random passwords all the time? – Celeritas Apr 22 '14 at 08:58
  • 1
    @Celeritas Password managers..... –  Apr 22 '14 at 08:58
  • But then you have to have the password manager and database with you. Sometimes this isn't feasible. For example you may not have permission to install the password manager, or you may need to do it too frequently. – Celeritas Apr 22 '14 at 08:59
  • 1
    2) http://security.stackexchange.com/questions/17940/is-it-safe-to-generate-passwords-online/17944#17944 – Celeritas Apr 22 '14 at 09:00
  • so you're saying maintain a database of passwords on a smart phone? That itself sounds difficult (again because all the typing of random characters on a small keyboard). Is there an app that lets you type them on a different computer and syncs the database to the smartphone? Sort of like lastpass, but it doesn't have a free android app. – Celeritas Apr 22 '14 at 09:03
  • 3
    1. You should not generated passwords **ONLINE**. This doesn't mean that you shouldn't generate passwords locally on your computer.... 2. Yes, it's called keepass and dropbox. –  Apr 22 '14 at 09:04
  • 1
    Normally you'd *create* the database (for e.g. KeePass) on a computer and *use* it on a smartphone. And if you have your smartphone with your password database, and you don't have a keyfob, and you can't install things...then you can still open up your password manager on your phone and type it into the computer. – Ben Dec 16 '15 at 04:47
  • One concern with computer-generated passwords is that often they do not use a good random number generator. But if you know that the password generator uses a high-quality cryptographically secure pseudo-random number generator (like the generator built into KeePass) then computer-generated passwords should be fine. – Ben Dec 16 '15 at 15:20
1

If you use a discernible pattern to create your password, then if one site you use gets its passwords leaked, crackers can throw that pattern into a rule for their tools. The next time a different site you care about has its hash table leaked, your password pattern might be part of the attack. It's not difficult to try all numbers in place of the 1 at the end of your first example. And 3 common fruit/vegetable names will probably fall relatively quickly as well. Now you can use 5-6 common randomly chosen words for great security, but many websites won't accept anything that long, and nobody really wants to memorize dozens of those, so you're better off just using a password manager.

Ben
  • 3,896
  • 1
  • 10
  • 22
1

Your passwords should be as different as necessary to avoid your worst enemy to guess any of them with any previous knowledge. This worst enemy might be a robot built to guess passwords and feed with hints.

  1. Write down 2 of your passwords.
  2. Ask yourself: is it clear that these 2 passwords will work on the same account?
  3. Act.
dan
  • 3,043
  • 14
  • 35
0

See http://www.explainxkcd.com/wiki/index.php/936:_Password_Strength And https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/

When you use 4 or 5 (for you) easy to remember random words, all lowercase, 25-30 characters, you're very safe. The only catch is that some websites will not accept this.

SPRBRN
  • 7,449
  • 6
  • 35
  • 37