!nostupidquestions is a community dedicated to being helpful and answering each others' questions on various topics.
The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:
Rule 1- All posts must be legitimate questions. All post titles must include a question.
All posts must be legitimate questions, and all post titles must include a question. Questions that are joke or trolling questions, memes, song lyrics as title, etc. are not allowed here. See Rule 6 for all exceptions.
Rule 2- Your question subject cannot be illegal or NSFW material.
Your question subject cannot be illegal or NSFW material. You will be warned first, banned second.
Rule 3- Do not seek mental, medical and professional help here.
Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.
Rule 4- No self promotion or upvote-farming of any kind.
That's it.
Rule 5- No baiting or sealioning or promoting an agenda.
Questions which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.
Rule 6- Regarding META posts and joke questions.
Provided it is about the community itself, you may post non-question posts using the [META] tag on your post title.
On fridays, you are allowed to post meme and troll questions, on the condition that it's in text format only, and conforms with our other rules. These posts MUST include the [NSQ Friday] tag in their title.
If you post a serious question on friday and are looking only for legitimate answers, then please include the [Serious] tag on your post. Irrelevant replies will then be removed by moderators.
Rule 7- You can't intentionally annoy, mock, or harass other members.
If you intentionally annoy, mock, harass, or discriminate against any individual member, you will be removed.
Likewise, if you are a member, sympathiser or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people, and you were provably vocal about your hate, then you will be banned on sight.
Rule 8- All comments should try to stay relevant to their parent content.
Rule 9- Reposts from other platforms are not allowed.
Let everyone have their own content.
Rule 10- Majority of bots aren't allowed to participate here. This includes using AI responses and summaries.
Our breathtaking icon was bestowed upon us by @Cevilia!
The greatest banner of all time: by @TheOneWithTheHair!
It’s probably not safe if they use that for everything. Someone could match emails and password suffixes, then they’d only have four letters to brute force. So all it takes is two leaks that your friend is on and they’re at real risk.
Generally, this would be avoided by whatever site storing their passwords as hashes instead of in plain text, but you can’t rely on that.
They should just use a password manager.
If they start using Keepass, we now know, their master password will be: kessSWydThIThBaPl!690720
I hope OP just constructed the core password as an example only.
It’s safe until you’re targeted.
From what I understand, they (hackers) try known email/password combinations at different sites because a lot of people reuse their passwords. I also find it unlikely that anyone trying hack accounts will spend any amount of time looking at individual passwords if their list is 1000+ (and we know there are leaks in the milions).
I agree that they are reasonably save unless they are targeted.
The problem is that it’s a common suffix among all of their passwords. That kind of thing is easy to search for in a password leak database.
I used to use a similar system until I switched to a password manager. Convenience is a big factor, it's nice to not have to think about logging in. Also coupled with that a secure password is a long password, so not having to type it in is a bonus.
The person says that, since the beginning of the password is unique, its "unhackable", and that the attacker would need like 3 samples of the password to figure out their system.
I've had my data leaked more than 3 times, it's not an unlikely scenario that someone could get a list of passwords used by someone.
Also once their system is compromised, they have to come up with a new system, then go and change every password. Which if it was me would be hundreds of places. With a password manager there's no reason not to have completely unique passwords for everything, so if there is a leak, oh well, just change that password.
If you're using a password on one site you're trusting that site to keep that password safe, so that only you can access your account.
If you're using one password everywhere you're trusting the weakest site to keep your most important account safe, which is obviously a bad idea.
Your friend is trusting the weakest sites he uses (or used at any point in the past) to keep his password scheme safe. Not quite as obviously bad, but to me it doesn't seem to be a particularly good idea either.
No it's still not safe. The only way to truly be safe is randomized password strings and 2fa (and even then, you're beholden to the safety of the company)
Know your enemy:
Your "system" is good against 1. but vulnerable against 2., and a bit vulnerable against 3. because of the system.
All of security is about trade-offs. “What does it protect me from, and what do I give up to gain that protection?”
If you need to remember a lot of passwords, then having some kind of system makes sense.
But most people don’t need to remember a lot of passwords. Most people can reasonably offload that job to a password manager.
So without knowing anything more, I’d guess it’s not good security for them.
You can buy leaked passwords from the dark web if you know someone's email.
So if someone got say 5 passwords from this person and look at them they'd very quickly be able to figure out the pattern and would know all their passwords.
The method they use is safe from scripts etc. But not foolproof
Better than a lot of other methods. What are you protecting, from who and how annoying would it be to recover if it went wrong. I don't use a password manager because I'd lose the file for sure and it would be just as inconvenient to recover as if someone hacked me. I also don't have any sensitive stuff. Work on the other hand I have a password manager.
The lowest hanging fruit is using a leaked/hacked/stolen list of accounts/emails and passwords and trying them on other sites. You should be safe from that.
If you have sensitive information someone would be willing to break the law and spend a few thousands of dollars to get you're not safe.
If it is sufficiently long, and the pattern is in any way dynamic then yes.
If they're doing something like lemmy-core-420 then no.
A drummer friend used to do a few bars of a different rudiment. Like djddjdjjdjddjdjjdjddjdjjdjddjdjj and then account for PW rules
That system is vulnerable to social engineering attacks. If hackers found out all their favourite things that lead to the core part of the password, guessing the prefix wouldn't be that hard. Also, what would your friend do if one of these passwords got compromised and had to change it? Would he just add a 1 to the site-specific part of the password?
guessing the prefix wouldn’t be that hard
Devil's Advocate: Most websites have limitations on the number of attempts.
Hackers aren’t always using the login interface, sometimes they’re beyond that and have access to the database of password hashes, and they’re trying to crack the password that can be entered to match a hash and get to try as many times as they like on their own away from the target system.
Isn't every system vulnerable to social engineering hacks?
Yeah, but there are degrees of vulnerability. Otherwise, things like password strength or MFA wouldn't matter.
If all your passwords are fully random, then that's one less weakness that can be exploited. People can't make educated guesses about your passwords just from analysing your social media profiles and history, e.g. if you post a lot about Star Wars, it's more likely your passwords could contain a Star Wars reference.
... true. You were clearly talking about how the "root" was constructed. If the root were random, a weakness would still be inherent in having the root exposed means all your accounts are potentially compromised, but social engineering wouldn't be as much of an issue.
I skipped over the root generation, as it's just a useless twist on an older process. "Useless" in that I don't think it adds any value to construct a root from favorite things. It's no easier than just memorizing a single 12-character random string and then adding per-site suffixes, which is how I first heard this described a decade ago.
For random password dumps going through thousands of accounts it's probably fine, but if you're targeted for some reason and they get just a couple passwords. With even just 2 passwords, that system may be obvious already to someone looking to gain access to your accounts specifically.
I would say this system is safe until one password - through no fault of their own - gets leaked. Worse even, two of them. If a bored hacker sees them in a stolen list, they could go to town on all other accounts. So you should advise your acquaintance to change their system. Long passwords are great but if they repeat a lot of characters they are immediately less useful. If the repeating string is known it makes brute-forcing other accounts that much easier.
The best advice is to keep unique passwords for all accounts. And by unique I mean not following a system like that. Long, random, non-sensical crap is best (but also most annoying) - for now. Once quantum computers become a thing, all this probably won't matter any more.
Edit: And always with non-SMS, non-emailed 2FA. But if those are the only options available it's better than nothing.
So no this is not safe. Once ypu have a system it is easier to crack because if someone has 2 or more of your passwords they can work out there is a system and it'd make it much easier to crack others if they're determined.
It is unlikely that someone random would specifically target a person and systematically try and crack their passwords. If that were to happen it'd most likely he someone they know - and this does happen sometimes. So while the passwords are definitely flawed it may not be something that anyone takes the time to exploit. But you can never say never.
The best way to manage passwords probably remains a secure password manager and randomly generated series of characters for each site. If its truly random then there are no shortcuts and every single password stands independently. The password manager gets round the issue of memorising them.
There are two answers to your question.
Most password cracking operations target a database of user accounts in bulk. As long as the hacker is not targeting your friend specifically, they should be fine.
If your friend is the target, one or two successful hacks could make their other passwords vulnerable.
So, dedicated enough to embrace the importance of a solid password but not humble enough to think he's got a better system than what everybody else reccomend.
The system is clearly flawed ego wise.
It's an insafe password + salt.
This system is fine. While patterns are obviously easier to hack, having unique passwords for each site and being able to remember them puts your friend in the 90^th^ percentile of computer users.
~~I hope you didn't make their actual basic phrase public.~~
In my opinion any password that's designed to be human-friendly isn't secure. Every crutch one uses to remember it, a machine can make much faster use of.
In this case I'd say the core idea: "SWydThIThBaPl!" is relatively safe, but 690720 is almost immediately recognizable as a date - to a machine! - and amng, leum etc. are even easier assuming the cracking program has knowledge of which site they're trying to gain access to.
So the only good part is the one that repeats for every password.
I think the top half of this xkcd illustrates some of it; but iirc the bottom half has been sort-of half debunked.
In any case, I use only very long and completely random passwords for online accounts.
Does this person think password managers are crutches? You cannot out-remember a machine.
PS: entropy is not the only measure for password safety.
Brute force comes way down the list.
but iirc the bottom half has been sort-of half debunked
Any source for this? It's literally just random words. Just pick from a large enough list and you're good.
Things a password cracker does before brute force guessing:
If you pick 4 random words, the attacker would still need to brute force through (hundreds of?) billions of word combinations. That’s the point.
Yeah you're correct. The person you're replying to is treating dictionary attacks as separate from brute forcing. Dictionary attacks are great on short passwords using likely words, but as soon as you use 2 or 3 or 4 words it becomes computationally unfeasible. I would say a completely random string of the same or much less length is more secure because a dictionary attack won't work at all, but 3-4 word passphrases are excellent for passwords that you have to manually enter ever.
Its an example. Not a real password
If you replace the "SWydThIThBaPl!690720" part with a random string like: dsh2box5hRs3wraA (just generated this), but kept the system the same, would your assessment of this system be different? (Assuming someone can actually remember that string of characters)
Your new example is confusing. With or without the date?
In any case, what would be the point? "I can remember the first 4 letters of the password but not the last 20"?
This person needs to understand that they cannot outsmart a machine, at least not in this. FWIW I've been using keepassxc for I don't even remember how many years and never had a problem with it. It has the option to additionally encrypt the database with a file, so if someone steals the database and even manages to guess the password (the only one that I haven't written down anywhere) they still don't have access.
"Lemmy Forum" = leumdsh2box5hRs3wraA
Protomail Email = prildsh2box5hRs3wraA
Amazon Shopping = amngdsh2box5hRs3wraA
Its secure enough for the average person. If your friend was a big deal, super rich or powerful and a massive target it would be easy enough to figure out.
I doubt it would be worthwhile trying to crack that particular code for the average joe.
I reject the premise!
There is no safe or unsafe. It's more like "more safe for a given person".
Your friend's system is better than using the same password everywhere. It's more difficult to hack than the majority of passwords that aren't generated by password managers. If that's what your friend likes and works for them well, fine I guess.
It wouldn't work for me because:
A phrase is better:
unlucky friendly monkey got raped by feral donkeys the monkey ran away from donkeys led astray
It's not very different from a sequence of 13 symbols, but there are many more words in English lexicon than symbols in ASCII plus 10, and the password becomes easier to memorize.
This is also an adaptation of a joke from a Russian cyberpunk novel, one of the last good things by its author, called "Labyrinth of reflections". It's still very good BTW.
One my friend has a very good taste in books and poetry, but when you talk to him, you wouldn't think that. He spews bullshit about "patriotism", alternative history, "anti-male laws" and such, believes that he can feel energies, and the only way to notice there's something much better buried underneath is to talk about random life events for long, not trying to fix on anything in particular or reason logically. Yet every book he's advised has been precious to me.
Phrases or words are good, but they should be random - not from known passages in poems, books movies etc, at least not without significant alteration.
Obviously, my point was that remembering a word is easier than remembering a letter.