Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsDesktop computingPassword management
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 
SpookyAwol
639 posts

Ultimate Geek
+1 received by user: 54


  #2042299 22-Jun-2018 10:46
Send private message

I tend to use a composite key for passwords so that it works over multiple sites.
Generally the requirement is for Capitals, numeric and symbols.

So what I do, is have a master password - eg "ExtremelyHardPassword"
Then I would follow up with a unique identifier for the site / app based on its name - eg for NZ Herald, I might use "NZH"
Following that, I might use a master end string. eg "#14"
So my complete password would be "ExtremelyHardPasswordNZH#14"

For another site, such as Geekzone, it would be "ExtremelyHardPasswordGZ#14"

That way with multiple sites, I only need to concentrate on getting the unique identifier right.

Any real flaws with that concept?



jonathan18
7415 posts

Uber Geek
+1 received by user: 2850

ID Verified
Trusted

  #2042312 22-Jun-2018 11:37
Send private message

Rickles:

 

...BUT what happens if -

 

(a) someone steals my laptop and happens upon the 'master' password … do they then have rampant access to all my websites/accounts simply because the password manager then allows it?

 

 

Won't the outcomes of this also partly depend on whether one has 2FA enabled for the password manager app, and how this is set up?

 

I've got 2FA set up with LastPass, but have also set my laptop as a trusted device for 30 days, so if someone had both access to my laptop, my laptop password or passcode, and my master password then sure there's nothing I can do. I guess the option is still there not to set a device as trusted, so need to enter a 2FA code in each time. That would be a nightmare in terms of practicality, but more secure.

 

Given I think it's incredibly unlikely someone will have access to all three things (actual device, device password/code, password manager 'master password'), I'm not too worried... Whether anyone should have a device set up without password protection would be a good starting point!

Varkk
643 posts

Ultimate Geek
+1 received by user: 477


  #2042313 22-Jun-2018 11:38
Send private message

SpookyAwol:

 

I tend to use a composite key for passwords so that it works over multiple sites.
Generally the requirement is for Capitals, numeric and symbols.

So what I do, is have a master password - eg "ExtremelyHardPassword"
Then I would follow up with a unique identifier for the site / app based on its name - eg for NZ Herald, I might use "NZH"
Following that, I might use a master end string. eg "#14"
So my complete password would be "ExtremelyHardPasswordNZH#14"

For another site, such as Geekzone, it would be "ExtremelyHardPasswordGZ#14"

That way with multiple sites, I only need to concentrate on getting the unique identifier right.

Any real flaws with that concept?

 

 

 

 

The flaw is when a site with poor password security gets popped and plain text passwords gets leaked then we can see what "ExtremelyHardPassword" is. Then someone can try "ExtremelyHardPasswordBANKNAME#14" on your bank account. It would be easy enough for someone to script that sort of pattern hunting and login attempts.

 

It might be acceptable for sites with no real repercussions e.g Herald comments etc but for all that effort you may as well use a real password manager.



dt

dt
1152 posts

Uber Geek
+1 received by user: 371
Inactive user


  #2042321 22-Jun-2018 11:58
Send private message

Varkk:

 

SpookyAwol:

 


Any real flaws with that concept?

 

 

 

 

The flaw is when a site with poor password security gets popped and plain text passwords gets leaked then we can see what "ExtremelyHardPassword" is. Then someone can try "ExtremelyHardPasswordBANKNAME#14" on your bank account. It would be easy enough for someone to script that sort of pattern hunting and login attempts.

 

It might be acceptable for sites with no real repercussions e.g Herald comments etc but for all that effort you may as well use a real password manager.

 

 

 

 

Here's a really good video that explains what Varkk just mentioned and how easy it is with all these tools readily available online now.

 

https://www.youtube.com/watch?v=7U-RbOKanYs

 

I really like his vids, he makes them really easy to understand what hes talking about

1 | 2 | 3 | 4 
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright