Is it acceptable practice to only increment a number when changing a password?

If an attacker has found out your password, he can access the system up until you change the password. Changing passwords often prevents attackers that already have your password to have undetected access indefinitely.

Now, if your password is secret-may16 and the attacker is locked out when you change your password, he is certainly going to try secret-june16 as the password. So changing the password in a predictable way is not secure.


You should not use this scheme, because once this password is known to an attacker, he can derive the "later" passwords.

This could be the case in these situations:

  • The password is shared between you and some other trused persons, and some day you decide to not trust (one of) them anymore. In this case, they could easily guess the next passwords.
  • An attacker gets hold of the password. Once he cracks it (which might take some time) he can then guess the derivations of the password.

By using such "numbered passwords", you destroy the (little) security benefit of changing passwords regularly.

Related Question: How does changing your password every 90 days increase security?


Changing only some portion of the password is [citation needed] very common, and a very bad practice.

Entropy is a measure of how unknown something is. for the first time you choose random-fixed-beginning or a whole new password, both with the same amount of entropy, both alternatives will be equivalent. Ok.

For the time you need to change your password, if you are completely sure that no previous password will be discovered, you're also good. Because something that is not known will keep the same amount of entropy.

But... and there's always a but... what if some previous password is recovered? Or two?

That can happen with sites/systems that store previous passwords in plaintext. Can also happen with sites/systems that store previous passwords as hashes.

Because plaintext, well, will easily show that your previous password was IamGod_april16. And someone will try using IamGod_may16... Just changing a part, in some predictable way, will easily expose your new password.

Even if it was stored as a hash: it will be harder when properly done, but what if someone brakes the hash and discovers what your password was? He then will be able to try IamGod_december18, and if you didn't change your scheme in the future... bang! Got hit because of a leak that happened 2 years before.

See that is doesn't matter if the "IamGod_" part is random, is human-readable, or whatever: what kicks you is that some part of if can leak some information: the month, the number, the letter in the end... even if your scheme was "IamGodh", someone could try "IamGodi", "IamGodj", and so on.

So, the first part of the answer to your specific question on whether the (b) scheme is less, equal or more secure than (a): it isn't more secure. Because if just use a changing number, changing month, changing letter... in the end, it's very easy to try new combinations, be it offline or in some online system.

And there is the second part: even if you devise a very good scheme, and the changing part is in the middle of the password... what if someone recovers 2 or more old passwords? And finds out that they were "3VQ2NMkK", "3VQ3NMkK" and "3VQ4NMkK" ? Well, can you see some pattern?

So, (a) and (b) can even be equally secure if your scheme doesn't get detected. But it's a strong assumption that one can devise a good scheme, so, in general, it's very safe to assume that (b) will be less secure, for any kind of system.

Of course, that assumes that the system gets broken somehow: that the database is leaked because someone invades a site, or because some internal folk copies the database, or someone looses the backup tape, or the maiden runs a man-in-the-middle attack inside the company, or because some update in the site leaked the password, or because the heartbleed attack revealed some passwords, or because the company let one old computer to be available in the network, or...

Given that those situations (and many more) are beyond your control, the advice is to choose the safe side: just don't assume that old passwords won't be leaked.

Tags:

Passwords

Password Policy

Password Cracking

Related

Ways to protect phone from hacking through a wifi network when travelling Can we trust the information displayed by the linux utility commands for a vulnerable machine? Discouraging users from copying images off a website? How to store the access token / password reset token in the database? Does correcting misspelled usernames create a security risk? If I accept a certificate in order to use my company’s Wi-Fi, am I vulnerable to MITM attacks? Is XSS possible when < is not escaped, but also removed if followed by a character? Is it okay for our IT support contractor to remote in without authorization? Difference between TPM, TEE and SE Should I block the Yandex Bot? What are the negative aspects of creating fake security footprints? Why haven't (most of) the Zodiac Killer's letters been decrypted?

Recent Posts