|PaulNM on 8 Jan 2017 10:47:40 -0800|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|Re: [PLUG] Lastpass - friend of foe|
On 01/07/2017 05:03 PM, Rich Freeman wrote:
You could also do things like "salt" your passwords with the site name. If somebody steals the password file from fancyforum.com and sees that your password is "L33tH@x-fancyforum" they would probably guess that your password on dullforum is "L33tH@x-dullforum." However, that assumes that a human bothers to read your individual password. In the more likely case that they're scripting things and trying the 1M passwords they stole against 5k other sites then they probably wouldn't defeat this the way they would if your passwords were identical.
While a neat idea, I'd suggest using something other than the site name. Or munging the site name in an odd way. The site name alone is easy to test/filter for automatically by munging tools. It may not be common in password crackers yet, but I doubt it'll stay the way. (Think how John the Ripper and other tools automatically try variants of passwords, like substituting 3 for E and adding numbers to the end.)
In some ways it's worse as you're now flagging the fact you reuse passwords. - PaulNM ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug