The suffix strategy for password generation is not secure

posted in
One of the most common password strategies is to take some random, relatively secure, long base password, and then re-use it over and over by appending an easily recallable suffix to that string (usually related to the name of the domain of the password)

Ie.., let's say you chose jkfd$k#d251mf as your base password.  You dutifully memorize this password.  Then when you go to various websites, you append an easily recognizable suffix to that password:

jkfd$k#d251mffacebook
jkfd$k#d251mfgoogle
jkfd$k#d251mftwitter

The problem with this is that let's say you visit badguy.com who is a criminal looking to harvest passwords.

So you enter your password:
jkfd$k#d251mfbadguy

Now, badguy.com knows this is pretty common, so he can just run a regex like so: (.*)badguy and find out your base password.  At that point, he's got access to any well-known website where you've used that base password.

So, next, you say, well, I have two base passwords, one for websites I really trust (say, google, your bank, etc) and another for random sites I've never heard of and don't care if they get cracked.

The problem now is that on the supposedly secure sites, you are relying on any one of them to secure all of them.  So a bad guy just picks the least secure of your most secure sites, and then he's got access to all of your really secure information.

The idea of simplifying your life with fewer passwords is a fallacy - once you have to recall more than four different passwords, you might as well have a strategy that allows you to call hundreds. 

Find a problem or mistake? File a bug or better yet, submit a pull request
Copyright © 2010 - 2022 - Doug Tarr