this post was submitted on 01 Jun 2025

93 points (94.3% liked)

No Stupid Questions

41177 readers

1359 users here now

No such thing. Ask away!

!nostupidquestions is a community dedicated to being helpful and answering each others' questions on various topics.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules (interactive)

Rule 1- All posts must be legitimate questions. All post titles must include a question.

All posts must be legitimate questions, and all post titles must include a question. Questions that are joke or trolling questions, memes, song lyrics as title, etc. are not allowed here. See Rule 6 for all exceptions.

Rule 2- Your question subject cannot be illegal or NSFW material.

Your question subject cannot be illegal or NSFW material. You will be warned first, banned second.

Rule 3- Do not seek mental, medical and professional help here.

Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.

Rule 4- No self promotion or upvote-farming of any kind.

That's it.

Rule 5- No baiting or sealioning or promoting an agenda.

Questions which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.

Rule 6- Regarding META posts and joke questions.

Provided it is about the community itself, you may post non-question posts using the [META] tag on your post title.

On fridays, you are allowed to post meme and troll questions, on the condition that it's in text format only, and conforms with our other rules. These posts MUST include the [NSQ Friday] tag in their title.

If you post a serious question on friday and are looking only for legitimate answers, then please include the [Serious] tag on your post. Irrelevant replies will then be removed by moderators.

Rule 7- You can't intentionally annoy, mock, or harass other members.

If you intentionally annoy, mock, harass, or discriminate against any individual member, you will be removed.

Likewise, if you are a member, sympathiser or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people, and you were provably vocal about your hate, then you will be banned on sight.

Rule 8- All comments should try to stay relevant to their parent content.

Rule 9- Reposts from other platforms are not allowed.

Let everyone have their own content.

Rule 10- Majority of bots aren't allowed to participate here. This includes using AI responses and summaries.

Credits

Our breathtaking icon was bestowed upon us by @Cevilia!

The greatest banner of all time: by @TheOneWithTheHair!

founded 2 years ago

MODERATORS

[email protected]

I have an acquaintance that have their own "password system" that involves having a "core" set of characters, plus a few unique characters for each site; Is that system safe? (sh.itjust.works)

submitted 4 days ago by [email protected] to c/[email protected]

61 comments fedilink hide all child comments

Disclaimer: I use a password manager, so please don't direct your comments at me.

So I know this person that says they don't use a password manager because they have a better system like... I'm gonna give an example:

Lets say, a person loves Star Wars, and their favorite character is Yoda. The favorite Their favorite phrase is from The Good Place "This is the Bad Place!". And their favorite date is 1969 July 20th (first landing on moon).

So here:

Star Wars Yoda = SWYd

"This is the Bad Place!" = ThIThBaPl!

1969 July 20 ---> 69 07 20

So they have this "core" password = SWydThIThBaPl!690720

Then for each website, they add the website's first and last 2 characters of the name to the front of the password...

So, "Lemmy Forum" = leum

Add this to the beginning of the "core" password it becomes:

leumSWydThIThBaPl!690720

For Protomail Email it's: prilSWydThIThBaPl!690720

For Amazon Shopping it's: amngSWydThIThBaPl!690720

Get the idea?

The person says that, since the beginning of the password is unique, its "unhackable", and that the attacker would need like 3 samples of the password to figure out their system.

Is this person's "password system" actually secure?

(page 2) 11 comments

sorted by: hot top controversial new old

[–] [email protected] 10 points 4 days ago (1 children)

There's literally only 4 characters difference between all their passwords, even if those would be completely random, that's very bad.

They don't seem to understand that it's not about how many samples you need to see to be sure what their Amazon password is. The problem is that if one of their passwords ever leaks, some bot can brute-force try thousands of variations on it and find any other password very quickly (they effectively only have to guess 4 characters, plus a bit to find that it's the first 4 to change).

How can anyone think this is more secure than having completely different and long passwords for every site?

They probably don't understand that your pw manager's password is safer because you don't enter it anywhere, only into your password manager (ideally with 2FA). This person is effectively spreading their master password around by putting it as the core of ALL their passwords, significantly increasing the risk that it leaks.

[–] [email protected] 3 points 4 days ago* (last edited 4 days ago) (2 children)

There’s literally only 4 characters difference between all their passwords, even if those would be completely random, that’s very bad.

So the 4 characters is just my way to explain their system, I don't actually know how many characters they use in their "unique" part of the password, but the idea is that the unique part of the password is derived from the website.

load more comments (2 replies)

[–] [email protected] 7 points 4 days ago (1 children)

I get the idea as I used to do this too. Having secure & different passwords everywhere is just the basic way to go. As such I dont think though its a good idea to put a system in your passwords. Hacking attempts are automated and getting smarter every day. Its only a matter of time until someone unleashes an AI to look for patterns and you are toast.

I recommend to juse a decent password manager that generates them for you and as much MFA as possible.

[–] [email protected] 4 points 4 days ago

Just use is now j'use

[–] [email protected] 6 points 4 days ago

On one hand, it's probably not that unlikely that an attacker gets 3 samples if the email or username gets reused a lot, on the other hand I wonder how well automated password crackers deal with systems like this. 'one good pattern with a couple of extra characters per site' seems like a pretty common password system.

[–] [email protected] 1 points 4 days ago

If this person is scared to have password stored, you can talk them about lesspass. It is available as a website where everything happens inside the browser, a browser plugin or an android app and it uses crypto derivation to generate unique passwords for each site.

[–] [email protected] 86 points 4 days ago (4 children)

I used to do this. Have a system for generating a unique password for each site. But then one site got hacked and I had to reset my password, and I couldn't use the old password. So I had to make a new system. You see the problem.

[–] [email protected] -4 points 4 days ago (4 children)

That doesn't really answer the question though, you just assumed that attackers would instantly figure out your system with a sample size of 1. How do they do that? Not saying that they definitely can't, but I want to see logical arguments before I believe it.

load more comments (4 replies)

load more comments (3 replies)

[–] [email protected] 3 points 4 days ago (2 children)

KeePassXC can tell you if a password is secure ("entropy", "health check", they also use an online service to check for leaked/known passwords).

[–] [email protected] 9 points 4 days ago (1 children)

I doubt it can figure out whether a password system is secure. I'd be surprised if "leumSWydThIThBaPl!690720" didn't get a decent score, though.

[–] [email protected] 2 points 4 days ago

I can't say with complete certainty, but 1password at least does have a flag if I use the same password for multiple accounts. I don't know if it'd identify this or not

load more comments (1 replies)

load more comments