As long as it’s capitalized with a 1! at the end

https://m.youtube.com/watch?v=z_HmDP3lKMI

There’s literally only 4 characters difference between all their passwords, even if those would be completely random, that’s very bad.

They don’t seem to understand that it’s not about how many samples you need to see to be sure what their Amazon password is. The problem is that if one of their passwords ever leaks, some bot can brute-force try thousands of variations on it and find any other password very quickly (they effectively only have to guess 4 characters, plus a bit to find that it’s the first 4 to change).

How can anyone think this is more secure than having completely different and long passwords for every site?

They probably don’t understand that your pw manager’s password is safer because you don’t enter it anywhere, only into your password manager (ideally with 2FA). This person is effectively spreading their master password around by putting it as the core of ALL their passwords, significantly increasing the risk that it leaks.

A phrase is better:

unlucky friendly monkey got raped by feral donkeys the monkey ran away from donkeys led astray

It’s not very different from a sequence of 13 symbols, but there are many more words in English lexicon than symbols in ASCII plus 10, and the password becomes easier to memorize.

This is also an adaptation of a joke from a Russian cyberpunk novel, one of the last good things by its author, called “Labyrinth of reflections”. It’s still very good BTW.

One my friend has a very good taste in books and poetry, but when you talk to him, you wouldn’t think that. He spews bullshit about “patriotism”, alternative history, “anti-male laws” and such, believes that he can feel energies, and the only way to notice there’s something much better buried underneath is to talk about random life events for long, not trying to fix on anything in particular or reason logically. Yet every book he’s advised has been precious to me.

I would say this system is safe until one password - through no fault of their own - gets leaked. Worse even, two of them. If a bored hacker sees them in a stolen list, they could go to town on all other accounts. So you should advise your acquaintance to change their system. Long passwords are great but if they repeat a lot of characters they are immediately less useful. If the repeating string is known it makes brute-forcing other accounts that much easier.

The best advice is to keep unique passwords for all accounts. And by unique I mean not following a system like that. Long, random, non-sensical crap is best (but also most annoying) - for now. Once quantum computers become a thing, all this probably won’t matter any more.

Edit: And always with non-SMS, non-emailed 2FA. But if those are the only options available it’s better than nothing.

No it’s still not safe. The only way to truly be safe is randomized password strings and 2fa (and even then, you’re beholden to the safety of the company)

I used to do this. Have a system for generating a unique password for each site. But then one site got hacked and I had to reset my password, and I couldn’t use the old password. So I had to make a new system. You see the problem.

If this person is scared to have password stored, you can talk them about lesspass. It is available as a website where everything happens inside the browser, a browser plugin or an android app and it uses crypto derivation to generate unique passwords for each site.

I get the idea as I used to do this too. Having secure & different passwords everywhere is just the basic way to go. As such I dont think though its a good idea to put a system in your passwords. Hacking attempts are automated and getting smarter every day. Its only a matter of time until someone unleashes an AI to look for patterns and you are toast.

I recommend to juse a decent password manager that generates them for you and as much MFA as possible.

Better than a lot of other methods. What are you protecting, from who and how annoying would it be to recover if it went wrong. I don’t use a password manager because I’d lose the file for sure and it would be just as inconvenient to recover as if someone hacked me. I also don’t have any sensitive stuff. Work on the other hand I have a password manager.

The lowest hanging fruit is using a leaked/hacked/stolen list of accounts/emails and passwords and trying them on other sites. You should be safe from that.

If you have sensitive information someone would be willing to break the law and spend a few thousands of dollars to get you’re not safe.

Its secure enough for the average person. If your friend was a big deal, super rich or powerful and a massive target it would be easy enough to figure out.

I doubt it would be worthwhile trying to crack that particular code for the average joe.

So no this is not safe. Once ypu have a system it is easier to crack because if someone has 2 or more of your passwords they can work out there is a system and it’d make it much easier to crack others if they’re determined.

It is unlikely that someone random would specifically target a person and systematically try and crack their passwords. If that were to happen it’d most likely he someone they know - and this does happen sometimes. So while the passwords are definitely flawed it may not be something that anyone takes the time to exploit. But you can never say never.

The best way to manage passwords probably remains a secure password manager and randomly generated series of characters for each site. If its truly random then there are no shortcuts and every single password stands independently. The password manager gets round the issue of memorising them.

If you’re using a password on one site you’re trusting that site to keep that password safe, so that only you can access your account.

If you’re using one password everywhere you’re trusting the weakest site to keep your most important account safe, which is obviously a bad idea.

Your friend is trusting the weakest sites he uses (or used at any point in the past) to keep his password scheme safe. Not quite as obviously bad, but to me it doesn’t seem to be a particularly good idea either.

That system is vulnerable to social engineering attacks. If hackers found out all their favourite things that lead to the core part of the password, guessing the prefix wouldn’t be that hard. Also, what would your friend do if one of these passwords got compromised and had to change it? Would he just add a 1 to the site-specific part of the password?

So, dedicated enough to embrace the importance of a solid password but not humble enough to think he’s got a better system than what everybody else reccomend.

The system is clearly flawed ego wise.

It’s an insafe password + salt.

If it is sufficiently long, and the pattern is in any way dynamic then yes.

If they’re doing something like lemmy-core-420 then no.

A drummer friend used to do a few bars of a different rudiment. Like djddjdjjdjddjdjjdjddjdjjdjddjdjj and then account for PW rules