I do this but I'd love to have someone tell me why this is a terrible idea (apart from the obvious one of using a 3rd party sha256 calculator)
1. Have a very short prefix and a suffix I can expect to remember
2. Password for every website gets generated like this <prefix> + website name + <suffix>
3. Generate SHA256 hash of #2
4. Use #3 as password for the site.
5. Save password to password manager
Pros -
1. losing a password on one site doesn't compromise the pattern on others because cracking sha256 is still not possible (afaik)
2. relatively easy rules to create new password
3. If I HAVE to login on a computer without my password manager (e.g., public workstation), I can regenerate my password on the fly.
Cons -
1. I use an external sha-256 calculator
2. Some sites enforce password length and arbitrary case/symbols rules. Have to manipulate generated password by hand
1. This relies on a mistaken expectation that all sites you use being able to accept SHA256 output - presumably in Base64 or similar- as an acceptable password. You will likely have to compromise this.
2. You have no credential expiry built into this approach. Even should you decide to not use credential expiry, if one site demands it, your strategy doesn't work.
3. You are still at risk of having your passwords leak because: Anyone who compromises a public machine on which you generated your password manually (eg leaving any traces in logs, bash history etc) who eyeballs your SHA256 input prefix_ashleymadison.com_suffix , now has very clear reasons to expect they can generate passwords based on prefix_facebook.com_suffix and pre_barclaysbank.com_suffix because your credentials between sites are now not independent of each other, and worse, directly suggest each other.
Ignoring keyloggers and bash history issues etc any simple 'over the shoulder' attacker, likewise, get a pretty good guess at all of your passwords all at once by observing you generate a password for one site just once.
In short, if you attempt to use an approach like this, you no longer just have to protect your password, you have to absolutely protect the knowledge of the algorithm by which you generate your password for different sites. This being compromised just once potentially compromises all your passwords, substantially widening the ways in which you can be harmed.
At some point a site you use will be compromised, so you have a problem as that site will require a new password.
So your login routine is now:
* Generate your password via hash(prefix + sitename + suffix), and use it on every site, except that compromised one. Because it invalidated your old password and won't let you reuse it.
In short you have a versioning problem. And you have to remember it. The problem compounds for each site you use which insists upon a change for whatever reason.
(Also your own "con" - different sites have different restrictions/caveats for password formats.)
Use a password-manager, it really is the best way to have a unique and secure password for each site.
I do use my Mac's Keychain Access. My issue started when I had to use a work computer for logging into a newspaper account and I couldn't remember what it was because it was saved on my personal laptop. That's when I came up with this scheme.
> versioning problem
Someone else pointed this out as well. Thanks for thinking this thru.
I'm not sure what you are saying ... should I memorize dozens of passwords like WCLfx(edI%uHgjWM6RuEeC6Qh for the services I use or should I strap on getting those dozens of services to use a perfect SSO service that doesn't leak privacy and is perfectly secure and doesn't exist yet?
(And you do need to memorize your password manager password - and your main email account password as well)
Also a lot of leaked passwords were strong, they just got compromised because someone didn't know about 70's password security basics.
Should we just never use any leaked password ever again? (Note I'm not saying: with the same login - or any of the "top 100") Should we really trust all of our passwords to one service that might get compromised or just go away?
Should we bother creating a strong unique password for that new cool SF startup that doesn't know how to use bcrypt?
If it is well integrated with your browser it's quite ok. Maybe not as convenient as using the same simple password everywhere but certainly a lot better than having to remember a lot of different passwords ;)
I personally prefer _not_ integrating my password manager with my browser, even though the option is available. Instead my password manager performs manually-activated autotyping which, while less convenient, does at least 'feel' like it's more secure.
I trust my OS to isolate applications from eachother more than I trust my browser to isolate extensions from the page they run on. LastPass in particular have had their browser extension exploited[0].
1. Have a very short prefix and a suffix I can expect to remember 2. Password for every website gets generated like this <prefix> + website name + <suffix> 3. Generate SHA256 hash of #2 4. Use #3 as password for the site. 5. Save password to password manager
Pros - 1. losing a password on one site doesn't compromise the pattern on others because cracking sha256 is still not possible (afaik) 2. relatively easy rules to create new password 3. If I HAVE to login on a computer without my password manager (e.g., public workstation), I can regenerate my password on the fly.
Cons - 1. I use an external sha-256 calculator 2. Some sites enforce password length and arbitrary case/symbols rules. Have to manipulate generated password by hand