5 comments

[ 2.9 ms ] story [ 21.2 ms ] thread
This is not at all a secure scheme. I would not be surprised to find a set of JohnTheRipper patterns already available to test these possibilities against a password hash leak.

Just use a password manager, let it generate a random password for each website, and let it do the 'remembering' and the submitting of the password to the website.

Some of us don't want to install things. Installing things like that is another layer of surface attack: you should trust the developers, code has no bugs/weakness, etc. Plus it's a single point of failure, once your manager is compromised, all services is compromised also!

It's adding few bits of strength to the current password that you already have. It's not making it weaker to some patterns guesser.

> once your manager is compromised, all services is compromised also

Which is much less likely than a weak password being reused and subsequently getting JackTheRipper revealed.

> It's not making it weaker to some patterns guesser.

Any password based upon any dictionary word, even with a few extra bits tacked on like this approach suggests, is incredibly weak in the face of a JackTheRipper or HashCat attack. The scheme proposed here would fall quickly from a leak of the password hashes to a HashCat GPU dictionary attack.

The only secure password in today's world of GPU password attacks is the truly random jumble of characters that few humans have the ability to memorize. And even the few who could memorize a few random jumbles likely could not remember 40 or 50 separate random jumbles. And 40 or 50 separate passwords for 40 or 50 separate online systems is not an unreasonable number. Therefore the need for using a password manager.

> Any password based upon any dictionary word, even with a few extra bits tacked on like this approach suggests, is incredibly weak in the face of a JackTheRipper or HashCat attack. The scheme proposed here would fall quickly from a leak of the password hashes to a HashCat GPU dictionary attack.

You don't get the point of making it's unique. Even if the password is shown because of the advanced bruteforcing, the password can't be used to other services. Hackers will try the password to other services and when it's not working, it's going to ignore it and just try another password.

It's very unlikely that the hackers will try to guess how to reconstruct your original password from the one that he already has.

> .. a weak password being reused ..

The password is not re-used, it's unique for each website.

> Which is much less likely...

Again, you should trust the manager. You should trust the software where you install the manager. and on and on..

What worst is that probably people will use again a weak password for the manager thinking that it's safe.

let me try this one and see how it works