
How to Get a Strong, Unique, and Memorable Password for Each Website - the_dave_santos
https://dave-santos.github.io/posts/secure-unique-password/
======
pwg
This is not at all a secure scheme. I would not be surprised to find a set of
JohnTheRipper patterns already available to test these possibilities against a
password hash leak.

Just use a password manager, let it generate a random password for each
website, and let it do the 'remembering' and the submitting of the password to
the website.

~~~
the_dave_santos
Some of us don't want to install things. Installing things like that is
another layer of surface attack: you should trust the developers, code has no
bugs/weakness, etc. Plus it's a single point of failure, once your manager is
compromised, all services is compromised also!

It's adding few bits of strength to the current password that you already
have. It's not making it weaker to some patterns guesser.

~~~
pwg
> once your manager is compromised, all services is compromised also

Which is much less likely than a weak password being reused and subsequently
getting JackTheRipper revealed.

> It's not making it weaker to some patterns guesser.

Any password based upon any dictionary word, even with a few extra bits tacked
on like this approach suggests, is incredibly weak in the face of a
JackTheRipper or HashCat attack. The scheme proposed here would fall quickly
from a leak of the password hashes to a HashCat GPU dictionary attack.

The only secure password in today's world of GPU password attacks is the truly
random jumble of characters that few humans have the ability to memorize. And
even the few who could memorize a few random jumbles likely could not remember
40 or 50 separate random jumbles. And 40 or 50 separate passwords for 40 or 50
separate online systems is not an unreasonable number. Therefore the need for
using a password manager.

~~~
the_dave_santos
> Any password based upon any dictionary word, even with a few extra bits
> tacked on like this approach suggests, is incredibly weak in the face of a
> JackTheRipper or HashCat attack. The scheme proposed here would fall quickly
> from a leak of the password hashes to a HashCat GPU dictionary attack.

You don't get the point of making it's unique. Even if the password is shown
because of the advanced bruteforcing, the password can't be used to other
services. Hackers will try the password to other services and when it's not
working, it's going to ignore it and just try another password.

It's very unlikely that the hackers will try to guess how to reconstruct your
original password from the one that he already has.

> .. a weak password being reused ..

The password is not re-used, it's unique for each website.

> Which is much less likely...

Again, you should trust the manager. You should trust the software where you
install the manager. and on and on..

What worst is that probably people will use again a weak password for the
manager thinking that it's safe.

