PaulNM on 8 Jan 2017 10:47:40 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Lastpass - friend of foe

On 01/07/2017 05:03 PM, Rich Freeman wrote:

You could also do things like "salt" your passwords with the site
name.  If somebody steals the password file from and
sees that your password is "L33tH@x-fancyforum" they would probably
guess that your password on dullforum is "L33tH@x-dullforum."
However, that assumes that a human bothers to read your individual
password.  In the more likely case that they're scripting things and
trying the 1M passwords they stole against 5k other sites then they
probably wouldn't defeat this the way they would if your passwords
were identical.

While a neat idea, I'd suggest using something other than the site name. Or munging the site name in an odd way. The site name alone is easy to test/filter for automatically by munging tools. It may not be common in password crackers yet, but I doubt it'll stay the way. (Think how John the Ripper and other tools automatically try variants of passwords, like substituting 3 for E and adding numbers to the end.)

In some ways it's worse as you're now flagging the fact you reuse passwords.

- PaulNM
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --