So I’ve been trying to create more secured passwords now that I have employment where I have responsibility. They require us to change our passwords every 3 months. I used to use the same passwords for multiple sites. Then I used a password manager and got rid of those memory passwords. With this job I don’t want to mix my personal password manager with my work computer and I also don’t want to remember a complicated 15 character long password to log in every day.

That brings me to my question. I’ve been using Yubikeys for years. I store a challenge response, use it for 2FA on all sites that allow, and I use it for TOTP on most sites (there’s a limit to how many entries in the Yubikey 5). You can also store a password in one of it’s two slots. My thinking is this: Is it secure to store a base password that is long and complicated, say 40 characters long with all the characters, and use a different “prefix” for each application? Example: On my banking site I type in “bank” then press the Yubikey to type the rest. Same thing with social media and other accounts. Each one has a prefix and I don’t know the actual password. Of course I store all passwords, including the Yubikey, in a password manager that’s backed up in the cloud (I use KeePassXC).

Your thoughts? Is this secure or stupid?

  • CryptoKitten@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    3
    ·
    8 months ago

    Using a prefix with a 40 char password is not really a good option because if this was compromised because it was let’s say intercepted then the attackers would easily be able to guess that if there is bank_suffix then facebook_suffix might be a good guess.

    • Eezyville@sh.itjust.worksOP
      link
      fedilink
      English
      arrow-up
      3
      ·
      8 months ago

      Really? The example “bank+[40 character password]” was just an example. Obviously I wouldn’t use bank for my banking credentials. I was also under the impression that many websites and applications wouldn’t store or transmit plaintext passwords (I wouldn’t use http for transmitting credentials). I do concede that there is a news story every month about a corporation getting hacked and the user’s passwords were stolen and in plaintext so they could compromise me that way. But I don’t think hackers are really going after me because I’m broke. The government maybe. This is really just so I can have a convenient way to have a complex password. I can’t remember 5 different 15-20 character complex passwords.

      • BoscoBear@lemmy.sdf.org
        link
        fedilink
        English
        arrow-up
        4
        ·
        8 months ago

        I think you have the right idea. You are using “bank” as a salt so the hash should be acceptably secure.

        • Eezyville@sh.itjust.worksOP
          link
          fedilink
          English
          arrow-up
          3
          ·
          8 months ago

          Yes. And every application has a different salt. I really just hope these websites don’t store plaintext passwords.