this post was submitted on 27 Oct 2023
1298 points (98.0% liked)

Memes

45187 readers
1442 users here now

Rules:

  1. Be civil and nice.
  2. Try not to excessively repost, as a rule of thumb, wait at least 2 months to do it if you have to.

founded 5 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
1298
Add-on: same password, same identity. (lemmy.world)
submitted 10 months ago by [email protected] to c/[email protected]
177 comments fedilink hide all child comments
 
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 1 points 10 months ago* (last edited 10 months ago) (1 children)

You could possibly switch to a "client-side salting" approach, having a strong consistent password in you head, and storing a short but truly random suffixes for each service. e.g. text file named "Netflix" containing something like "T3M#f" and the final password would be something like "hunter2T3M#f".

I guess I'm not understanding how this is functionally different from what I already am doing. Why would your 12 character solution be more secure than my 14 character example? Is it just because NutFlex is two actual words, so a dictionary attack could crack that more easily? Or is it because it's kinda close to the domain the account is associated with? Would I be significantly better off replacing those bastardizations with other random words?

Edit: and also, they're saved as notes in my phone, and no I don't type the whole password in. That would defeat the purpose of having a persistent master phrase as part of the password.

[–] [email protected] 2 points 10 months ago

they’re saved as notes in my phone, and no I don’t type the whole password in

Then I must have misunderstood your approach. Is it like a single note with all the keywords only, then?

I guess I’m not understanding how this is functionally different from what I already am doing. Why would your 12 character solution be more secure than my 14 character example

Yeah, it's because it's close to the associated domain. The way I see it, this bastardization adds little entropy (there's only so much possible variations) but also rather easy to forget. And a huge problem, in my opinion, is it's using your mental capacity for per-site suffixes rather than master password.

A possible attack I see, is if I set up a site, say a forum called MyLittlePony.su with no password protection whatsoever, and lure you to register on it. If I scroll through the accounts and notice your password to be "hunter2MyLittlePenis", I might go to paypal and give it a shot with "hunter2PenisPal". Or, somebody whom I sold the database to, might. It's extremely rare that anyone would even look at your password specifically unless you are some kind of celebrity, but it's still a possibility. Maybe some future AI tech would be able to crack your strategy (I've tried, ChatGPT told me to fuck right off and FreedomGPT is not good enough yet)

Though you've said you also keep notes, which deals with the easy-to-forget part of the problem, so my first thought was to get rid of bastardization and add fuck-all amount of entropy by using a truly random suffix. That'd deal with the above problem. But, that'd mean that it's your master password that is the suffix now, and you wouldn't be able to access sites without the notes at all, hence it'd be easier to go with password manager at that point.