mailing list archives
Re: Password variation scheme a plus in security?
From: krymson () gmail com
Date: 30 Jun 2008 16:55:45 -0000
This depends on what you're protecting and what threats you are worried about (or your own level of risk tolerance.)
For a home user using a password derivation scheme for your 100 sites, if one site discloses your account info, what
have they really gained? Maybe your email address and your password, plus let's just say your full name. The only thing
to immediately attack is your email address location. I guess if it were me, I'd try your password, see if you have
something obvious in it that is guessable per site you use it on, and then move on. If I really wanted to be a pest, I
might start Googling you up...blah blah.
Unless your scheme is easily guessable, or I have grabbed two or more of your passwords along with the sites you use
them on (or enough information to deduce your scheme), you don't have nearly as much to worry about.
As a home user, do you feel like you might be particularly targeted by an attacker? If so, I doubt a derived password
will help you rest easy unless you truly feel that no one is going to just up and guess your scheme.
In the end, I have no qualms about suggesting that home users feel free to use some simple but not easily deducable
password scheme for their web accounts. Yeah, it's not the perfect solution, but that's the world we live in.
If this is for a business, depending on the items in my first paragraph, you might want something more arcane,
depending on the size and value and market of your company. A 30-employee shop will have far different requirements
than, say, Boeing.
<- snip ->
I need an opinion. Let's say I have a few hundred web accounts
and I don't want to remember a few hundred passwords, neither
do I want to look them up each time I want to access one of the
sites, so I'm using one (secure) password for all sites. This is
obviously not a good thing, since when one site gets hacked
and they stored their passwords in an unsafe manner all others
are potentially endangered. The Question now is, would it now
be an advantage in terms of security in this case to use a
password variation scheme like replace the third character of
the password with the second letter of the sites domain name
advanced five letters in the alphabet? Obviously it would prevent
immediately successful logins, but does this really increase
security? My idea is that the hackers have like 100.000 passwords
and from these maybe 90.000 give them immediate login success
at other sites, so they might just ignore the 10.000 that don't
immediately work. Or is it rather standard procedure in hacking
attacks to try variations of the acquired passwords?