"Now, one fine day somecrappysite.com gets hacked. The next time you visit, the web page has malicious code that sends your password in plaintext to someone. There go your Paypal funds, your Facebook account, your online life."
What an optimist! somecrappysite.com was probably storing your password in plaintext to begin with and it probably got pulled from the database long before you logged in again.
Having said that, this is an absolutely terrible solution for real-world usage because it inhibits people who are already security savvy from using better solutions like Stanford pwdhash or similar methods.
It might be a good idea to enforce non-password reuse, but the proposed solutions seem fairly aggravating. In particular the 'webmaster' solution of requiring inclusion of a fixed string is extremely annoying (oops, sorry users who use cryptographically derived passwords (http://passwordmaker.org/)), and doesn't solve the problem since someone with your "main" password can probably guess the "derived" password (e.g., the main password with the mandatory substring appended to the end).
My solution as a user is to just use a password manager. I use clipperz(http://clipperz.com/), but there's plenty others out there.
* Edited to remove markdown-style links. Forgot it wasn't supported here.
The point is that the mandatory substring is random and unique to you. The problem with using a password manager is that it implies that you're already savvy enough about the issue. Most people have no idea such thing exists. How could you enforce the usage of a password manager?
I have an algorithm for creating unique passwords.
Here is the result for HackerNews:
kcahu3602122@#)*
here for Facebook:
ecafu3602122@#)^
(I can create them practically in my sleep. The algorithm is personal and easy)
To determine the algorithm, one would need plain text from two sites and be able to match them. Now, everytime a site limits my freedom to creating the password I want (assuming I can't provide my own security - by demanding a capital, a number, a this a that) I default to the same password. If they get one site with my simple pass, they get all the sites on which I use it.
When you put constraints on my password creation, you make my online life MORE insecure, not less.
Free my password. Don't tell me what I can and can't do. Offer a full page of help describing to those who don't care what they should do. But don't force them.
I am the only person I know who uses a unique, memorable and strong password for every site I use. I store all of them in my head.
I have a base password and I add the first several characters of the site to the middle.
For example:
Facebook - sdfb231a2
Hacker News - sdyc231a2
Yahoo - sdya231a2
For strong passwords I can add a suffix to further strengthen the password.
PayPal - sdpa231a2a4
I use the same suffix for all "strong" passwords. If a site requires a capital letter I always capitalize the first letter.
I've gone to create an account with a site, been told I already have an account and I get the password in 1 guess because I'm so consistent with creating them.
What do you do when you log in to your bank and they tell you that your password has expired and that you need to create a new unique 6-8 character password with exactly one capital letter and one number but no special characters? And that it can't contain any part of any of your old passwords?
I guess the same thing you'd do if you ran across a site with this well intentioned but terrible idea: write it down or email it to yourself.
The only sane thing you can do as a developer is let users chose any password they like, regardless of how insecure you think it is. Store it correctly and that's the end of your involvement. Let your users do what they want, or you'll just make things worse.
I've done a bit of this and I suspect a few others have considered something similar, if not doing it themselves. I'm concerned about leaking a couple of these types of passwords, enough for someone to notice the pattern and apply it to the rest of your online presence. I'm sure there are black hats building personal databases of every password leak that goes by and it wouldn't be hard to do some sub-string matching to identify people making simple patterns like this.
I'm also concerned about a targeted attack against my online identity. I've had a couple of online acquaintances be the victim of targeted attacks, one holding accounts hostage as a sort of online blackmail. Someone who compromises a couple of random forums and picks up on the pattern now has the key to your online identity. I'd mitigate it somewhat by using multiple prefixes and suffixes, one set for 'throwaway' accounts and others for more important stuff. Even that tactic has issues, do you remember to change your password for that throwaway site that blew up with success and now your account is part of your online identity?
The alternatives aren't too reassuring though, I balance these risks against the possibility of my KeePass, LastPass or browser password list getting compromised.
That seems like what SuperGenPass (http://supergenpass.com/) does, but with more effort and easier to break. Essentially, with SGP you type a master password into the password box and click the button in your browser (you don't have to install anything, just bookmark the javascript). It uses a one-way hash to create a unique password based on the domain.
This sparked an idea for me that I think I'll implement going forward - if you sign up with your email address and password, my server will try to login to your email account with those credentials, and if successful, say something like "hey, did you see that email [snippet of first email in inbox]". I feel this might encourage the user to use a different password.
Big ol' hole here: You can't identify web apps by domain. Are you going to tell me I can't use "password123" as my password on store.foo.com and secure.foo.com (when they both point to the same database and the same user record)? Are you going to assume that passwords may be shared across all TLDs? (so I can re-use passwords on multiple separate apps on the same TLD)
It's a nice idea, but in practice, it would drive you insane because the web is not a nice uniform entity where everyone plays by a pre-arranged set of rules.
Just use LastPass and let it autogenerate passwords for you. It's stupid easy, and super effective. LastPass will even tell you how many sites you're using the same passwords on! ( https://lastpass.com/index.php?securitychallenge=1&fromw... )
Nobody gets the point. The point is that you can't force 99% of the people to use something. What I advocate is enforcement on the part of the browser and / or sites. If the user has the choice to be lazy, no solution works.
So instead of having websites that require "upper, lower, numeric and special" characters, we'll have sites that require "randomly generated word from two years ago that we hope you remember". It's just another constraint that will never be standard and will be near impossible to remember.
If you use a different password for every site, it's a given that you won't be able to remember them. Storing your passwords securely is a different problem.
The desire to enforce unique password across sites is understood. You might as well advocate all browsers to implement a builtin password manager a la LastPass and a protocol to auto-gen a password (by the site to enforce cross-site uniqueness) to be managed by the password manager. Imagine zero password fiddling signups!
Force a per site password policy on end users other than length is super annoying. The worst kind are those who restrict you to use only alpha-numeric passwords.
Because browsers already optionally store passwords, adding the "password same" warning would be quite a welcome feature (or add-on), for me anyways (in mobile browsers too).
I advocate the use of password managers, but they don't offer "password same" warnings either.
My point: it's a best-practice feature option which should be implemented widely. People can turn it off if they want.
I'm no expert, but why does this have to be done on the password level? Why can't we just assign usernames to our own sites, and force people to login with those? I know that's incredibly annoying for a user, but it would at least guarantee the user credentials for your site are unique from any other site.
This would mean that there are two "passwords" that I have to remember - the userid and the actual password. Chances are, your site isn't worth it to remember a new uid. (I counted that only 5 out of my 150 stored account passwords are for something worth remembering anything at all.)
If you are important (say, paypal or gmail) - do two factor authentification. If you are not - don't bother me. Even creating an account is already more effort than most sites are worth.
After Gawker was hacked (and my account with it), I have created a website that tells average folks how to solve these issues: http://www.passmix.com/. It's not a perfect solution, but it's way better than the same password for different websites.
From what I've read this (and methods like it) seems to be a common way to generate passwords. This seems to be a somewhat weak implementation though - imagine you used this method with the same base everywhere, and 2 sites were hacked, let's called them InLinked and Kergaw. Using the examples from passmix.com with base 'house cat' I might end up with: 'housei!n8cat' and 'housek!e6cat'. Say I'm targeting you specifically, I look at these two passwords, and I see that they both follow 'houseX!Y#cat' format. It's only a moment longer before I've a good guess at how the password is constructed, and then try it against your email. Once I've cracked your email I can just use the forgot password feature of any other site to reset your password there.
It would be quite easy to write a script to detect the similarity with the two passwords (9 characters in common, same positions, same length = 12).
You should never use the same password across sites, nor should you use the same password system unless that system is secure. Assuming you can keep your algorithm for password generation private, passing this through a one-way hash function might then strengthen your password a bit (at least a hacker couldn't easily visually derive your password algorithm, or that you are using one) but this still isn't perfect.
Generally it's not a good idea to tell people how to construct passwords unless you're an expert in cryptography. I'm not, so please don't take any of this as advice on how to construct a password. It's advice on how not to, if anything.
I cry everytime I read these threads on HN. I've never seen such stubborness than people desperately convinced that they need to be able to memorize their passwords, or that password managers are the devil.
I'll say it again, just use a password manager. It generates random, complex passwords. It memorizes them for you. It pre-populates forms. They are locally encrypted and can be synced by themselves or with other tools. They can even be protected with two factor auth.
See all my other comments on this thread. Why does your mother use LastPass? How did she learn about it? How about the other 99% of the people? How do you make them use LastPass?
[+] [-] georgemcbay|13 years ago|reply
What an optimist! somecrappysite.com was probably storing your password in plaintext to begin with and it probably got pulled from the database long before you logged in again.
Having said that, this is an absolutely terrible solution for real-world usage because it inhibits people who are already security savvy from using better solutions like Stanford pwdhash or similar methods.
[+] [-] diego|13 years ago|reply
[+] [-] sporksmith|13 years ago|reply
It might be a good idea to enforce non-password reuse, but the proposed solutions seem fairly aggravating. In particular the 'webmaster' solution of requiring inclusion of a fixed string is extremely annoying (oops, sorry users who use cryptographically derived passwords (http://passwordmaker.org/)), and doesn't solve the problem since someone with your "main" password can probably guess the "derived" password (e.g., the main password with the mandatory substring appended to the end).
My solution as a user is to just use a password manager. I use clipperz(http://clipperz.com/), but there's plenty others out there.
* Edited to remove markdown-style links. Forgot it wasn't supported here.
[+] [-] diego|13 years ago|reply
[+] [-] tgrass|13 years ago|reply
If you restrict my password options in anyway I will use your site less.
[+] [-] tgrass|13 years ago|reply
Here is the result for HackerNews: kcahu3602122@#)*
here for Facebook: ecafu3602122@#)^
(I can create them practically in my sleep. The algorithm is personal and easy)
To determine the algorithm, one would need plain text from two sites and be able to match them. Now, everytime a site limits my freedom to creating the password I want (assuming I can't provide my own security - by demanding a capital, a number, a this a that) I default to the same password. If they get one site with my simple pass, they get all the sites on which I use it.
When you put constraints on my password creation, you make my online life MORE insecure, not less.
Free my password. Don't tell me what I can and can't do. Offer a full page of help describing to those who don't care what they should do. But don't force them.
[+] [-] wulczer|13 years ago|reply
[+] [-] joeguilmette|13 years ago|reply
I have a base password and I add the first several characters of the site to the middle.
For example:
Facebook - sdfb231a2
Hacker News - sdyc231a2
Yahoo - sdya231a2
For strong passwords I can add a suffix to further strengthen the password.
PayPal - sdpa231a2a4
I use the same suffix for all "strong" passwords. If a site requires a capital letter I always capitalize the first letter.
I've gone to create an account with a site, been told I already have an account and I get the password in 1 guess because I'm so consistent with creating them.
I don't know why everyone doesn't do this.
[+] [-] jasonkester|13 years ago|reply
I guess the same thing you'd do if you ran across a site with this well intentioned but terrible idea: write it down or email it to yourself.
The only sane thing you can do as a developer is let users chose any password they like, regardless of how insecure you think it is. Store it correctly and that's the end of your involvement. Let your users do what they want, or you'll just make things worse.
[+] [-] mutagen|13 years ago|reply
I'm also concerned about a targeted attack against my online identity. I've had a couple of online acquaintances be the victim of targeted attacks, one holding accounts hostage as a sort of online blackmail. Someone who compromises a couple of random forums and picks up on the pattern now has the key to your online identity. I'd mitigate it somewhat by using multiple prefixes and suffixes, one set for 'throwaway' accounts and others for more important stuff. Even that tactic has issues, do you remember to change your password for that throwaway site that blew up with success and now your account is part of your online identity?
The alternatives aren't too reassuring though, I balance these risks against the possibility of my KeePass, LastPass or browser password list getting compromised.
[+] [-] paulgb|13 years ago|reply
[+] [-] jtm45|13 years ago|reply
[+] [-] sporksmith|13 years ago|reply
[+] [-] sp332|13 years ago|reply
[+] [-] unknown|13 years ago|reply
[deleted]
[+] [-] cheald|13 years ago|reply
It's a nice idea, but in practice, it would drive you insane because the web is not a nice uniform entity where everyone plays by a pre-arranged set of rules.
Just use LastPass and let it autogenerate passwords for you. It's stupid easy, and super effective. LastPass will even tell you how many sites you're using the same passwords on! ( https://lastpass.com/index.php?securitychallenge=1&fromw... )
[+] [-] diego|13 years ago|reply
[+] [-] fintler|13 years ago|reply
[+] [-] diego|13 years ago|reply
[+] [-] vicaya|13 years ago|reply
Force a per site password policy on end users other than length is super annoying. The worst kind are those who restrict you to use only alpha-numeric passwords.
Down with manual password policies!
[+] [-] fluxon|13 years ago|reply
I advocate the use of password managers, but they don't offer "password same" warnings either.
My point: it's a best-practice feature option which should be implemented widely. People can turn it off if they want.
[+] [-] unknown|13 years ago|reply
[deleted]
[+] [-] baak|13 years ago|reply
[+] [-] PeterisP|13 years ago|reply
[+] [-] mudil|13 years ago|reply
[+] [-] anonycoward|13 years ago|reply
It would be quite easy to write a script to detect the similarity with the two passwords (9 characters in common, same positions, same length = 12).
You should never use the same password across sites, nor should you use the same password system unless that system is secure. Assuming you can keep your algorithm for password generation private, passing this through a one-way hash function might then strengthen your password a bit (at least a hacker couldn't easily visually derive your password algorithm, or that you are using one) but this still isn't perfect.
Generally it's not a good idea to tell people how to construct passwords unless you're an expert in cryptography. I'm not, so please don't take any of this as advice on how to construct a password. It's advice on how not to, if anything.
[+] [-] gms|13 years ago|reply
For everyone else, there are programs like LastPass and 1Password that make this easy.
[+] [-] unknown|13 years ago|reply
[deleted]
[+] [-] ricardobeat|13 years ago|reply
There were plenty of passwords like this in the recent LinkedIn leak.
[+] [-] drivebyacct2|13 years ago|reply
I'll say it again, just use a password manager. It generates random, complex passwords. It memorizes them for you. It pre-populates forms. They are locally encrypted and can be synced by themselves or with other tools. They can even be protected with two factor auth.
My mother uses LastPass. So can you.
[+] [-] diego|13 years ago|reply
This is not about us.