Disclaimer: I use a password manager, so please don’t direct your comments at me.
So I know this person that says they don’t use a password manager because they have a better system like… I’m gonna give an example:
Lets say, a person loves Star Wars, and their favorite character is Yoda. The favorite Their favorite phrase is from The Good Place “This is the Bad Place!”. And their favorite date is 1969 July 20th (first landing on moon).
So here:
Star Wars Yoda = SWYd
“This is the Bad Place!” = ThIThBaPl!
1969 July 20 —> 69 07 20
So they have this “core” password = SWydThIThBaPl!690720
Then for each website, they add the website’s first and last 2 characters of the name to the front of the password…
So, “Lemmy Forum” = leum
Add this to the beginning of the “core” password it becomes:
leumSWydThIThBaPl!690720
For Protomail Email it’s: prilSWydThIThBaPl!690720
For Amazon Shopping it’s: amngSWydThIThBaPl!690720
Get the idea?
The person says that, since the beginning of the password is unique, its “unhackable”, and that the attacker would need like 3 samples of the password to figure out their system.
Is this person’s “password system” actually secure?
It’s probably not safe if they use that for everything. Someone could match emails and password suffixes, then they’d only have four letters to brute force. So all it takes is two leaks that your friend is on and he’s at real risk.
Generally, this would be avoided by whatever site storing their passwords as hashes instead of in plain text, but you can’t rely on that.
They should just use a password manager.
If they start using Keepass, we now know, their master password will be: kessSWydThIThBaPl!690720
I hope OP just constructed the core password as an example only.
It’s safe until you’re targeted.
From what I understand, they (hackers) try known email/password combinations at different sites because a lot of people reuse their passwords. I also find it unlikely that anyone trying hack accounts will spend any amount of time looking at individual passwords if their list is 1000+ (and we know there are leaks in the milions).
I agree that they are reasonably save unless they are targeted.
The problem is that it’s a common suffix among all of their passwords. That kind of thing is easy to search for in a password leak database.
As long as it’s capitalized with a 1! at the end
I used to use a similar system until I switched to a password manager. Convenience is a big factor, it’s nice to not have to think about logging in. Also coupled with that a secure password is a long password, so not having to type it in is a bonus.
The person says that, since the beginning of the password is unique, its “unhackable”, and that the attacker would need like 3 samples of the password to figure out their system.
I’ve had my data leaked more than 3 times, it’s not an unlikely scenario that someone could get a list of passwords used by someone.
Also once their system is compromised, they have to come up with a new system, then go and change every password. Which if it was me would be hundreds of places. With a password manager there’s no reason not to have completely unique passwords for everything, so if there is a leak, oh well, just change that password.
If you’re using a password on one site you’re trusting that site to keep that password safe, so that only you can access your account.
If you’re using one password everywhere you’re trusting the weakest site to keep your most important account safe, which is obviously a bad idea.
Your friend is trusting the weakest sites he uses (or used at any point in the past) to keep his password scheme safe. Not quite as obviously bad, but to me it doesn’t seem to be a particularly good idea either.
No it’s still not safe. The only way to truly be safe is randomized password strings and 2fa (and even then, you’re beholden to the safety of the company)
You can buy leaked passwords from the dark web if you know someone’s email.
So if someone got say 5 passwords from this person and look at them they’d very quickly be able to figure out the pattern and would know all their passwords.
The method they use is safe from scripts etc. But not foolproof
Better than a lot of other methods. What are you protecting, from who and how annoying would it be to recover if it went wrong. I don’t use a password manager because I’d lose the file for sure and it would be just as inconvenient to recover as if someone hacked me. I also don’t have any sensitive stuff. Work on the other hand I have a password manager.
The lowest hanging fruit is using a leaked/hacked/stolen list of accounts/emails and passwords and trying them on other sites. You should be safe from that.
If you have sensitive information someone would be willing to break the law and spend a few thousands of dollars to get you’re not safe.
If it is sufficiently long, and the pattern is in any way dynamic then yes.
If they’re doing something like lemmy-core-420 then no.
A drummer friend used to do a few bars of a different rudiment. Like djddjdjjdjddjdjjdjddjdjjdjddjdjj and then account for PW rules
That system is vulnerable to social engineering attacks. If hackers found out all their favourite things that lead to the core part of the password, guessing the prefix wouldn’t be that hard. Also, what would your friend do if one of these passwords got compromised and had to change it? Would he just add a 1 to the site-specific part of the password?
guessing the prefix wouldn’t be that hard
Devil’s Advocate: Most websites have limitations on the number of attempts.
Hackers aren’t always using the login interface, sometimes they’re beyond that and have access to the database of password hashes, and they’re trying to crack the password that can be entered to match a hash and get to try as many times as they like on their own away from the target system.
Isn’t every system vulnerable to social engineering hacks?
Yeah, but there are degrees of vulnerability. Otherwise, things like password strength or MFA wouldn’t matter.
If all your passwords are fully random, then that’s one less weakness that can be exploited. People can’t make educated guesses about your passwords just from analysing your social media profiles and history, e.g. if you post a lot about Star Wars, it’s more likely your passwords could contain a Star Wars reference.
… true. You were clearly talking about how the “root” was constructed. If the root were random, a weakness would still be inherent in having the root exposed means all your accounts are potentially compromised, but social engineering wouldn’t be as much of an issue.
I skipped over the root generation, as it’s just a useless twist on an older process. “Useless” in that I don’t think it adds any value to construct a root from favorite things. It’s no easier than just memorizing a single 12-character random string and then adding per-site suffixes, which is how I first heard this described a decade ago.
For random password dumps going through thousands of accounts it’s probably fine, but if you’re targeted for some reason and they get just a couple passwords. With even just 2 passwords, that system may be obvious already to someone looking to gain access to your accounts specifically.
I would say this system is safe until one password - through no fault of their own - gets leaked. Worse even, two of them. If a bored hacker sees them in a stolen list, they could go to town on all other accounts. So you should advise your acquaintance to change their system. Long passwords are great but if they repeat a lot of characters they are immediately less useful. If the repeating string is known it makes brute-forcing other accounts that much easier.
The best advice is to keep unique passwords for all accounts. And by unique I mean not following a system like that. Long, random, non-sensical crap is best (but also most annoying) - for now. Once quantum computers become a thing, all this probably won’t matter any more.
Edit: And always with non-SMS, non-emailed 2FA. But if those are the only options available it’s better than nothing.
So no this is not safe. Once ypu have a system it is easier to crack because if someone has 2 or more of your passwords they can work out there is a system and it’d make it much easier to crack others if they’re determined.
It is unlikely that someone random would specifically target a person and systematically try and crack their passwords. If that were to happen it’d most likely he someone they know - and this does happen sometimes. So while the passwords are definitely flawed it may not be something that anyone takes the time to exploit. But you can never say never.
The best way to manage passwords probably remains a secure password manager and randomly generated series of characters for each site. If its truly random then there are no shortcuts and every single password stands independently. The password manager gets round the issue of memorising them.
There are two answers to your question.
Most password cracking operations target a database of user accounts in bulk. As long as the hacker is not targeting your friend specifically, they should be fine.
If your friend is the target, one or two successful hacks could make their other passwords vulnerable.So, dedicated enough to embrace the importance of a solid password but not humble enough to think he’s got a better system than what everybody else reccomend.
The system is clearly flawed ego wise.
It’s an insafe password + salt.
