Disclaimer: I use a password manager, so please don’t direct your comments at me.
So I know this person that says they don’t use a password manager because they have a better system like… I’m gonna give an example:
Lets say, a person loves Star Wars, and their favorite character is Yoda. The favorite Their favorite phrase is from The Good Place “This is the Bad Place!”. And their favorite date is 1969 July 20th (first landing on moon).
So here:
Star Wars Yoda = SWYd
“This is the Bad Place!” = ThIThBaPl!
1969 July 20 —> 69 07 20
So they have this “core” password = SWydThIThBaPl!690720
Then for each website, they add the website’s first and last 2 characters of the name to the front of the password…
So, “Lemmy Forum” = leum
Add this to the beginning of the “core” password it becomes:
leumSWydThIThBaPl!690720
For Protomail Email it’s: prilSWydThIThBaPl!690720
For Amazon Shopping it’s: amngSWydThIThBaPl!690720
Get the idea?
The person says that, since the beginning of the password is unique, its “unhackable”, and that the attacker would need like 3 samples of the password to figure out their system.
Is this person’s “password system” actually secure?
I used to do this. Have a system for generating a unique password for each site. But then one site got hacked and I had to reset my password, and I couldn’t use the old password. So I had to make a new system. You see the problem.
A solution to this is to keep adding elements to the chain to create a new password. Like your base password is FavouriteCharacter2025siteletters, and if you need to change it, go for FavouriteCharacter2025siteletters!!!
If you add the same element across accounts when you need to change a pw, it’s still easy to remember, just a few more try when you forget it, it’s still useful against database leaks, and it’s not worse when it comes to targeted hack.
How many sites are we talking about? I have like 600 passwords in my password manager, it would be insane to try to remember each of the rules for when I changed the password last.
Well if you only change your password 3-4 times, you only have 4-5 options to try. You also kinda remember for most website if you changed your password a lot or not, so you naturally try the most plausible option first, at least in my experience.
If you regularly change your password, it can become a nightmare, i agree.
That doesn’t really answer the question though, you just assumed that attackers would instantly figure out your system with a sample size of 1. How do they do that? Not saying that they definitely can’t, but I want to see logical arguments before I believe it.
That’s not the point they’re making at all.
The point is when a website password
breedsneeds to be changed, then it won’t conform to the system anymore. Now you need to make a new system, or remember this particular exception.I had a system with a number in it. Any time a password change was needed then I would add 1 to the number. I might have to try two or the times to get the password right if I’ve changed it for the third time.
I didn’t know passwords could reproduce, is that how password generators work? /j
Yes exactly. Now the account locks you out after n tries, so yould also encounter problems down the road.
It’s not about being safe. It’s about losing track of your ability to track your unique passwords once one site nullifies it’s password.