2

Let's assume that I have chosen a password X which is both hard to guess and easy to remember.

I have the feeling that instead of using X for, say, Gmail, Stackoverflow, Ebay, ... I could use gX, sX, eX, ... respectively - and thereby easily increase security.

What are pros and cons of doing this?

I. Haage
  • 23
  • 2
  • 1
    If an attacker discovers your Gmail password (gX), he/she may quickly realize that it's simply 'g' (for gmail) concatenated with X. Then, it wouldn't be much of a leap for him/her to figure "If that's his Gmail password, then his eBay password is probably eX, and his Paypal password is probably pX, etc., etc.). Very quickly, you might find many of your accounts hacked. It's best to use long, unique, randomly generated passwords for each site. You might find it helpful to use a password manager to manage this for you. – mti2935 Jan 09 '24 at 18:24
  • With the leak of 2 passwords, all your passwords that use that scheme are toast. – schroeder Jan 10 '24 at 09:16

3 Answers3

3

The rules for passwords easy to remember and difficult to guess are obsolete today. It would make sense 20 years ago, when you had a handful of services so it would be feasible to remember them. Not anymore.

Today you should remember ONE very strong password, and only one: the master password for your password manager. And let the password manager generate as many complex passwords as needed.

And to direct answer your question, it would protect you a little if one password leaks and it's used by an automated program to attack other accounts. As soon as a human takes a look he can guess the pattern and attack your other accounts.

That's why I always recommend a password manager: it will generate passwords as long as the service you use accepts, with the complexity they want, and generate unique, unpredictable and very strong passwords for any number of accounts you have.

Password managers have some drawbacks too, but comparing them with the other methods (storing in your brain, in a text file, on paper, in an encrypted file) the password manager clearly is better.

ThoriumBR
  • 53,925
  • 13
  • 135
  • 152
1

You should assume that your password scheme is known to your attacker. While adding some noise into passwords can limit the damage of a password spraying attack, I wouldn't say it makes the password itself more secure.

If you're making passwords at a prescribed length, like 12 characters, then this reserved character actually lowers your password's entropy (strength), effectively making it an 11-character code.

It should be fine to add the extra letter to a password that is independently strong (so if you're aiming at a 12-character password, your scheme would require 13 characters since you're adding a predictable letter), but again I wouldn't say that the password's strength is improved by this technique.

It is not fine to recycle the same independently-strong password by simply changing an extra piece, as anybody with two of your passwords will figure out exactly what's going on. That's basically a master password used in an insecure manner. Instead, use a strong master password to lock your password manager, which you should use to generate complex unmemorable codes for everything else.

Everybody should use a password manager. Bitwarden and KeePass are 100% free/FOSS.

When you migrate from an insecure password scheme to a password manager, either recycle nothing from other passwords or else ensure a brand new component of your master password is unique and independently strong (which might make for a very long password, a good thing for security but perhaps a burden for your fingers).

Adam Katz
  • 11,236
  • 2
  • 25
  • 48
0

In support of other good answers, as a password cracker I'd like to add:

Password "systems" that you can remember make your passwords weaker - because if you can remember it, I can emulate it at speed.

Including the service name, or anything directly or indirectly associated with the service name, is a strategy well known to attackers - and one that we regularly exploit.

We are also well aware of (and exploit) other "clever" systems like people will use to make that service name "harder" to guess - prefix, suffix, infix, interleaving, abbreviation, repetition, reverse, duplicating the entire password, ROT13, toggling case, leet substitutions, typing letters above or below on the keyboard, typing as if using a keyboard from a different language, and many number of other transformations to make the name of the service "harder".

And even if the rest of the password is long and random, it only takes one leak from a site storing passwords badly to make all of your other passwords much more crackable.

Royce Williams
  • 9,573
  • 1
  • 33
  • 57