Ever think about putting a website name in your password?

June 02, 2024, 12:14 PM

Oz_Shadow

I am not suggesting using a password that isn't a reasonably secure password.

I occasionally get those warnings from identity monitoring companies saying a password associated with my primary email as the username has been compromised but they often do not tell me the website. I suspect many are from old website forums where I regularly used the same old password associated with low risk sites.

I was thinking something like the following as a new password format: xA#f14$987golfwebsite

That way I know who had the security breach.

Anyone think that's a bad idea?

I try to keep higher risk login credentials completely unique these days.

June 02, 2024, 12:21 PM

12131

quote:
Originally posted by Oz_Shadow:
I try to keep higher risk login credentials completely unique these days.

Does that mean you have the same password for "low risk" sites?

Whatever your method, make it a difficult one. And uniquely difficult for different sites.

June 02, 2024, 02:19 PM

Pipe Smoker

^^^^^
Re: “Whatever your method, make it a difficult one. And uniquely difficult for different sites.”

Amen. Thank goodness for password managers.

June 02, 2024, 10:37 PM

Beancooker

I use movie quotes. Usually no less than 40 characters. Replace i’s with 1’s or a’s with 4’s and use all correct punctuation and spaces.
As of now, I have never had an issue.

June 02, 2024, 10:43 PM

FenderBender

Think of 5 unrelated 5 letter words, use that, its mathematically secure enough.

June 03, 2024, 04:04 AM

Beancooker

quote:
Originally posted by FenderBender:
Think of 5 unrelated 5 letter words, use that, it’s mathematically secure enough.

Fender Bender, let us not forget who you are…

https://sigforum.com/eve/forum...230020464#3230020464

June 03, 2024, 11:50 AM

Rey HRH

that method works for email addresses like using ReyHRH+Sigforum@gmail.com. If you start getting spam emails, you know it was taken from Sigforum. But how would it work for passwords? It won't let you know the password that was hacked.

For non-internet passwords, I use something like Bender's formula: Five-words-that-I-always-remember+name of the thing I'm protecting+last word I also remember.

"It did not really matter what we expected from life, but rather what life expected from us. We needed to stop asking about the meaning of life, and instead to think of ourselves as those who were being questioned by life – daily and hourly. Our answer must consist not in talk and meditation, but in right action and in right conduct. Life ultimately means taking the responsibility to find the right answer to its problems and to fulfill the tasks which it constantly sets for each individual." Viktor Frankl, Man's Search for Meaning, 1946.

June 03, 2024, 02:42 PM

architect

A properly-configured login capability should never ever store a secret "in the clear." Instead, the password is stored in an encrypted or hashed form. When the user enters a challenge, the challenge is encrypted/hashed with the same algorithm before comparison with the stored value. (There is, of course, somewhat more to it than that.)

So anybody presenting "your password" to you must have obtained it from an improperly-provisioned site. Encrypted storage of login secrets has been a best practice since at least the 50's, long before the Internet was built out, or the first web server authored.

It is far more likely that the password was obtained by a "man in the middle" attack, a keystroke logger, or some other interception technique (perhaps via software surreptitiously installed on the compromised provider's system) rather than decoded from some password data store. So associating a compromised password with a particular site does not necessarily implicate that site in the breach (except that they might be negligent in their security policies and/or procedures), and is unlikely to positively determine some entity to "blame."