Home page logo
/

basics logo Security Basics mailing list archives

Re: Password variation scheme a plus in security?
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Mon, 30 Jun 2008 19:07:39 +0200

On 2008-06-30 Stefan Schmidt wrote:
I need an opinion. Let's say I have a few hundred web accounts and I
don't want to remember a few hundred passwords, neither do I want to
look them up each time I want to access one of the sites, so I'm using
one (secure) password for all sites. This is obviously not a good
thing, since when one site gets hacked and they stored their passwords
in an unsafe manner all others are potentially endangered. The
Question now is, would it now be an advantage in terms of security in
this case to use a password variation scheme like replace the third
character of the password with the second letter of the sites domain
name advanced five letters in the alphabet? Obviously it would prevent
immediately successful logins, but does this really increase security?
My idea is that the hackers have like 100.000 passwords and from these
maybe 90.000 give them immediate login success at other sites, so they
might just ignore the 10.000 that don't immediately work. Or is it
rather standard procedure in hacking attacks to try variations of the
acquired passwords?

*sigh*

Not this again.

If you don't want to use the same password for all sites, save the
passwords in an encrypted vault (e.g. KeePass [1]) and look them up
whenever needed.

DO NOT USE PASSWORDS DERIVED THROUGH DETERMINISTIC ALGORITHMS. EVER.

Kerckhoff's Principle explains why that is a bad thing.

[1] http://keepass.info/

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault