undefined | Better HN

0 pointsTedDoesntTalk3y ago0 comments

Append it where?

0 comments

endisneigh3y ago

e.g. password to facebook would be:

facebook.com$293MyPasswordYouKnowIt!!123

password to gmail would be

mail.google.com$113MyPasswordYouKnowIt!!123

only annoying thing is that the passwords are long. I guess it's secure, though.

edit: see child post for clarification. I do something above for spammy sites, but for something like gmail I probably wouldn't do that.

zenexer3y ago

That’s not secure at all.

Eventually, some website you use is going to get hacked. They’ll have stored passwords as plaintext. From there, anyone who wants to hack any of your accounts knows your password format. It’s going to be obvious to them that they just need to replace the domain.

endisneigh3y ago

how would they figure out the unique identifier? couldn't you say the same thing about using an arbitrarily unique password and then a password manager. if your password manager is hacked then they'd get the encrypted passwords for all sites you use along with all the personal information.

of course, you'll say, don't use a crappy password manager. and that's correct. same reason I use a separate format for sketchy sites.

for what it's worth my format isn't really as described, but it is similarly deterministic, but not visually so. the cipher is basic enough to do in your head but complicated enough that you wouldn't know from a glance

a real password example for your scrunity:

m0m2a2yiplagsosowgolredd1o2t3c!o!m2

steps:

m a i l g o o g l e d o t c o m

strategy

zip

secret

mypassword123!!

offset (publicly determinable)

unique: 2022

m0m2a2yiplagsosowgolredd1o2t3c!o!m2

i use a password manager so the long text generally is irrelevant. the main reason I do this is because I don't feel comfortable needing my password manager. I like being able to figure out my actual password completely independent of a phone or internet or app.

the strategy depends on how sensitive the app is (strategies include: zip, append, vowel-zip, no-vowel-zip, num-zip, all the same but with a reverse-offset). unique is usually something like when I joined, or something determinable from the site and my head.

all of this seems much more complicated than it is. once you understand you could calculate the password in your head in a couple seconds.

3 more replies

int_19h3y ago

This scheme as described is not secure, but with one more step it can be. Luckily, that step has already been automated:

https://www.lesspass.com/

TedDoesntTalkOP3y ago

Prior art: http://PasswordMaker.org also with apps, browser extensions, command line tools, and many forks.

kangalioo3y ago

How do you remember the unique identifier?

endisneigh3y ago

it's deterministic, but obviously I can't tell you the secret ;)

that being said there are a lot of things you could use. you could use information in the whois, you could use the birthdate of the founder of the site, etc.

personally I believe people should use the same password for all sites and then something similar to what I described. though I use a password manager, I do always feel nervous about the implementation leaking out details

Bud3y ago

This means that if a breach reveals more than one of your passwords, the pattern is easily recognized and you just made ALL your passwords extremely weak. Not a great idea.

endisneigh3y ago

this is true, yes. fwiw what I do is more complicated than an append. I'll edit it to say "include", which is more accurate.

j / k navigate · click thread line to collapse

0 comments

endisneigh3y ago

e.g. password to facebook would be:

facebook.com$293MyPasswordYouKnowIt!!123

password to gmail would be

mail.google.com$113MyPasswordYouKnowIt!!123

only annoying thing is that the passwords are long. I guess it's secure, though.

edit: see child post for clarification. I do something above for spammy sites, but for something like gmail I probably wouldn't do that.

zenexer3y ago

That’s not secure at all.

endisneigh3y ago

of course, you'll say, don't use a crappy password manager. and that's correct. same reason I use a separate format for sketchy sites.

a real password example for your scrunity:

m0m2a2yiplagsosowgolredd1o2t3c!o!m2

steps:

m a i l g o o g l e d o t c o m

strategy

zip

secret

mypassword123!!

offset (publicly determinable)

unique: 2022

m0m2a2yiplagsosowgolredd1o2t3c!o!m2

all of this seems much more complicated than it is. once you understand you could calculate the password in your head in a couple seconds.

3 more replies

int_19h3y ago

This scheme as described is not secure, but with one more step it can be. Luckily, that step has already been automated:

https://www.lesspass.com/

TedDoesntTalkOP3y ago

Prior art: http://PasswordMaker.org also with apps, browser extensions, command line tools, and many forks.

kangalioo3y ago

How do you remember the unique identifier?

endisneigh3y ago

it's deterministic, but obviously I can't tell you the secret ;)

that being said there are a lot of things you could use. you could use information in the whois, you could use the birthdate of the founder of the site, etc.

Bud3y ago

This means that if a breach reveals more than one of your passwords, the pattern is easily recognized and you just made ALL your passwords extremely weak. Not a great idea.

endisneigh3y ago

this is true, yes. fwiw what I do is more complicated than an append. I'll edit it to say "include", which is more accurate.

j / k navigate · click thread line to collapse