EmailDiscussions.com - View Single Post - Massive Hack, Billions of credentials stolen... Was Fastmail affected?

BritTim · 7 Aug 2014, 05:11 AM

Some will consider the suggestions below suspect, but they have stood the test of time. If you do not want to use a password generator, such as Bill suggests, here is another pretty secure scheme:

Choose a fairly long and random string of characters (about 12 should be enough) that you use in all passwords.
For each site, have an easily remembered procedure you consistently follow to select 4 unique characters that you prefix to the front of your common password string. This can be as simple as, say, the 8th, 3rd, 2nd and 6th characters of the site name. Add one additional suffix character if the first 4 unique characters match some condition (variable length passwords are slightly better than always using the same length).

The reasons this is pretty secure are

No human looking at a single password will be able to figure out your methodology.
Password hashes are designed so that similar substrings in multiple passwords do not yield similar hashes. Thus, brute forcing additional passwords based on a single exposed password is no easier (assuming your methodology remains secret)..

Note that, if you sometimes need to use computers that are not your own, it is a bit scary to risk exposing your password database and master password. The scheme above limits your exposure in this case. (Of course, one-time passwords, if available, are preferable).

7 Aug 2014, 05:11 AM	#7
BritTim The "e" in e-mail Join Date: May 2003 Location: mostly in Thailand Posts: 3,141	Some will consider the suggestions below suspect, but they have stood the test of time. If you do not want to use a password generator, such as Bill suggests, here is another pretty secure scheme: Choose a fairly long and random string of characters (about 12 should be enough) that you use in all passwords. For each site, have an easily remembered procedure you consistently follow to select 4 unique characters that you prefix to the front of your common password string. This can be as simple as, say, the 8th, 3rd, 2nd and 6th characters of the site name. Add one additional suffix character if the first 4 unique characters match some condition (variable length passwords are slightly better than always using the same length). The reasons this is pretty secure are No human looking at a single password will be able to figure out your methodology. Password hashes are designed so that similar substrings in multiple passwords do not yield similar hashes. Thus, brute forcing additional passwords based on a single exposed password is no easier (assuming your methodology remains secret).. Note that, if you sometimes need to use computers that are not your own, it is a bit scary to risk exposing your password database and master password. The scheme above limits your exposure in this case. (Of course, one-time passwords, if available, are preferable).