What an optimist! somecrappysite.com was probably storing your password in plaintext to begin with and it probably got pulled from the database long before you logged in again.
Having said that, this is an absolutely terrible solution for real-world usage because it inhibits people who are already security savvy from using better solutions like Stanford pwdhash or similar methods.
The proposed solution adds little to no real world security (see my other post about how easy it would be to guess which part is the random one which makes this system not useful unless almost all sites use it, which will never happen). Given little to no real world security gain from the described system, it certainly isn't worth breaking an existing system that works just fine and securely even if for just a minority of people.
"This USB key is your identity card." is a simple concept to understand, and better than a password.
It might be a good idea to enforce non-password reuse, but the proposed solutions seem fairly aggravating. In particular the 'webmaster' solution of requiring inclusion of a fixed string is extremely annoying (oops, sorry users who use cryptographically derived passwords (http://passwordmaker.org/)), and doesn't solve the problem since someone with your "main" password can probably guess the "derived" password (e.g., the main password with the mandatory substring appended to the end).
My solution as a user is to just use a password manager. I use clipperz(http://clipperz.com/), but there's plenty others out there.
* Edited to remove markdown-style links. Forgot it wasn't supported here.
Have the application store in a secureDB in the cloud your encrypted list of passwords. These would be encrypted with a master pwd stored in the local pwd repository of your (mobile) browser.
The idea would be to have the browser do all the leg work for you and have the pwd management service available form anywhere.
The browser would automatically generate a new complex pwd for each new website you subscribe to, then encrypt it and send it over to the pwd mgmt app in the cloud.
When you authenticate to the website, the browser queries the pwd mgmt app for the pwd of the site. The app sends it to the client.
In this whole process the whole encryption/decrpytion happens locally, thus limiting the attack surface. It would be easy to use and overall seamlessly integrated with any device you own that has access to the internet.
Ah, that's a little better. I still think the security gained is not enough to justify how much of a usability problem this could be, though. Assuming the per-user fixed substring is a secret, you're basically assigning the user's password (though giving them an option to strengthen it with their own 'root' password). If it's not secret then not much security is gained.
> How could you enforce the usage of a password manager?
I don't know of a good way. Although if every site starting assigning (part of) the password, as above, I suppose that would do it.
eg: mysillypasssoqpword Yeah, I think I can guess what happened there.
If you restrict my password options in anyway I will use your site less.
Here is the result for HackerNews:
here for Facebook:
(I can create them practically in my sleep. The algorithm is personal and easy)
To determine the algorithm, one would need plain text from two sites and be able to match them. Now, everytime a site limits my freedom to creating the password I want (assuming I can't provide my own security - by demanding a capital, a number, a this a that) I default to the same password. If they get one site with my simple pass, they get all the sites on which I use it.
When you put constraints on my password creation, you make my online life MORE insecure, not less.
Free my password. Don't tell me what I can and can't do. Offer a full page of help describing to those who don't care what they should do. But don't force them.
I have a base password and I add the first several characters of the site to the middle.
Facebook - sdfb231a2
Hacker News - sdyc231a2
Yahoo - sdya231a2
For strong passwords I can add a suffix to further strengthen the password.
PayPal - sdpa231a2a4
I use the same suffix for all "strong" passwords. If a site requires a capital letter I always capitalize the first letter.
I've gone to create an account with a site, been told I already have an account and I get the password in 1 guess because I'm so consistent with creating them.
I don't know why everyone doesn't do this.
I guess the same thing you'd do if you ran across a site with this well intentioned but terrible idea: write it down or email it to yourself.
The only sane thing you can do as a developer is let users chose any password they like, regardless of how insecure you think it is. Store it correctly and that's the end of your involvement. Let your users do what they want, or you'll just make things worse.
They are the only ones.
I'm also concerned about a targeted attack against my online identity. I've had a couple of online acquaintances be the victim of targeted attacks, one holding accounts hostage as a sort of online blackmail. Someone who compromises a couple of random forums and picks up on the pattern now has the key to your online identity. I'd mitigate it somewhat by using multiple prefixes and suffixes, one set for 'throwaway' accounts and others for more important stuff. Even that tactic has issues, do you remember to change your password for that throwaway site that blew up with success and now your account is part of your online identity?
The alternatives aren't too reassuring though, I balance these risks against the possibility of my KeePass, LastPass or browser password list getting compromised.
No longer a federal crime, maybe? Probably still get an angry mob with pitchforks outside your window.
It's a nice idea, but in practice, it would drive you insane because the web is not a nice uniform entity where everyone plays by a pre-arranged set of rules.
Just use LastPass and let it autogenerate passwords for you. It's stupid easy, and super effective. LastPass will even tell you how many sites you're using the same passwords on! ( https://lastpass.com/index.php?securitychallenge=1&fromw... )
Force a per site password policy on end users other than length is super annoying. The worst kind are those who restrict you to use only alpha-numeric passwords.
Down with manual password policies!
I advocate the use of password managers, but they don't offer "password same" warnings either.
My point: it's a best-practice feature option which should be implemented widely. People can turn it off if they want.
* insist it's the username,
* insist it is in the password somewhere, or
* make them type the string in a third logon field
It adds friction to the process in order to solve a problem that is not "ours" to solve.
An option with less friction would be to ask them to choose a picture from 16 candidates. The 16 candidate photos would need to be generated from the username to avoid the ability to refresh the page and find the persistent image. Each image could have the random characters associated with it to be used as an addendum to the salt, or for whatever purposes on the back end which the random characters are supposed to accomplish.
It would be quite easy to write a script to detect the similarity with the two passwords (9 characters in common, same positions, same length = 12).
You should never use the same password across sites, nor should you use the same password system unless that system is secure. Assuming you can keep your algorithm for password generation private, passing this through a one-way hash function might then strengthen your password a bit (at least a hacker couldn't easily visually derive your password algorithm, or that you are using one) but this still isn't perfect.
Generally it's not a good idea to tell people how to construct passwords unless you're an expert in cryptography. I'm not, so please don't take any of this as advice on how to construct a password. It's advice on how not to, if anything.
For everyone else, there are programs like LastPass and 1Password that make this easy.
There were plenty of passwords like this in the recent LinkedIn leak.
I'll say it again, just use a password manager. It generates random, complex passwords. It memorizes them for you. It pre-populates forms. They are locally encrypted and can be synced by themselves or with other tools. They can even be protected with two factor auth.
My mother uses LastPass. So can you.
This is not about us.
Enforcing this kind of thing on the masses won't make for stronger passwords, it will just have them opening up notepad.exe and saving this sites too-hard-to-remember-because-it-has-too-many-rules password on ~/Desktop/logins.txt
I don't care what we do about the rest of them. Make a bigger black list, require more complex passwords, implement better protections against brute force.
The easiest one (to use and implement) is two-factor auth, but many people lack smartphones still so it's hard to make that the easy call.