Patterns in password creation over multiple passwords

It depends on what kind of attack you are trying to protect against:

  • If your password is one among millions in a data breach where the attacker isn't targeting you specifically, then your password is effectively 10 random characters long instead of 8. It will be harder to crack.
  • If an attacker is targeting you, and knows about your pattern, then it gives you no protection at all.
  • If an attacker is targeting you, and doesn't know about the pattern, it could help until the attacker finds out about it. Breaking one account would give a little help, breaking two would make the pattern obvious and hence useless.

So your system could be helpful sometimes, but not always. Or in other words: your "effective" password length will be somewhere between 8 and 10 depending on your threat model. But unless you have some specific reason not to, I would just forget all about clever systems and just install a password manager instead.


So far the answers have been for "If I as a user add '.p' the end of all my passwords on various sites".

So I'd like to tackle the other possibility the original question could mean: "If I as a system programmer add '.p' to the end of all my users' passwords"

What you're describing is called a "Pepper" - it's a application-specific snippet that's tacked onto the password before hashing.

So what does this get you?

  • It prevents dictionary attacks (since the attacker wouldn't know that every password has a specific string of characters appended to the end.)
  • It prevents a breach in another set of credentials from compromising yours (since there's no way another system's Hash(Password) would match your Hash(Password+AppSpecificPepper).

What does it not get you?

  • It doesn't prevent one password being cracked from cascading to all accounts with the same password, since Hash(Password+Pepper) would match for all accounts with the same password.

So, when it's all said and done? Absolutely - add the '.p' (or a much longer secret string) to the end of users' passwords. It makes the passwords more secure than just the original 8 chars alone - worst case, the attacker manages to compromise the app and get the pepper, in which case you're only as bad off as if you hadn't used a pepper in the first place. But make sure to add a Salt as well, so you don't let an attacker compromise multiple accounts with a single password crack.


No more, no less secure. An attacker has no clue even if he reveals one of your passwords (if you don't use as your suffix 2 digits, which is for an attacker the common setting of his attack's rules).

But if the attacker reveals two or more of your passwords and will try to break other of them, he certainly will see the pattern and will employ it.

Tags:

Passwords

Recent Posts