3d ago

I have an acquaintance that have their own "password system" that involves having a "core" set of characters, plus a few unique characters for each site; Is that system safe?

Disclaimer: I use a password manager, so please don't direct your comments at me.

So I know this person that says they don't use a password manager because they have a better system like... I'm gonna give an example:

Lets say, a person loves Star Wars, and their favorite character is Yoda. The favorite Their favorite phrase is from The Good Place "This is the Bad Place!". And their favorite date is 1969 July 20th (first landing on moon).

So here:

Star Wars Yoda = SWYd

"This is the Bad Place!" = ThIThBaPl!

1969 July 20 ---> 69 07 20

So they have this "core" password = SWydThIThBaPl!690720

Then for each website, they add the website's first and last 2 characters of the name to the front of the password...

So, "Lemmy Forum" = leum

Add this to the beginning of the "core" password it becomes:

leumSWydThIThBaPl!690720

For Protomail Email it's: prilSWydThIThBaPl!690720

For Amazon Shopping it's: amngSWydThIThBaPl!690720

Get the idea?

The person says that, since the beginning of the password is unique, its "unhackable", and that the attacker would need like 3 samples of the password to figure out their system.

Is this person's "password system" actually secure?

60 comments

There's literally only 4 characters difference between all their passwords, even if those would be completely random, that's very bad.
They don't seem to understand that it's not about how many samples you need to see to be sure what their Amazon password is. The problem is that if one of their passwords ever leaks, some bot can brute-force try thousands of variations on it and find any other password very quickly (they effectively only have to guess 4 characters, plus a bit to find that it's the first 4 to change).
How can anyone think this is more secure than having completely different and long passwords for every site?
They probably don't understand that your pw manager's password is safer because you don't enter it anywhere, only into your password manager (ideally with 2FA). This person is effectively spreading their master password around by putting it as the core of ALL their passwords, significantly increasing the risk that it leaks.
- There’s literally only 4 characters difference between all their passwords, even if those would be completely random, that’s very bad.
  So the 4 characters is just my way to explain their system, I don't actually know how many characters they use in their "unique" part of the password, but the idea is that the unique part of the password is derived from the website.
  
  The relationship is the problem.
  Calculating the levenshtein distance is the first thing that comes to mind, then creating a regular expression that covers any leaked passwords tied to the same account.
  This is all easily scriptable and two leaked passwords might be all a script needs to discover the pattern. Once the pattern is known, all of their passwords become knowable.
  
  Obviously random is better, but uniqueness of passwords is IMO even more important. They are effectively spreading around their master password

60 comments