[Question] Is this a secure way to generate passwords (sh.itjust.works)

submitted 8 months ago by Eezyville@sh.itjust.works to c/cybersecurity@sh.itjust.works

23 comments fedilink hide all child comments

So I've been trying to create more secured passwords now that I have employment where I have responsibility. They require us to change our passwords every 3 months. I used to use the same passwords for multiple sites. Then I used a password manager and got rid of those memory passwords. With this job I don't want to mix my personal password manager with my work computer and I also don't want to remember a complicated 15 character long password to log in every day.

That brings me to my question. I've been using Yubikeys for years. I store a challenge response, use it for 2FA on all sites that allow, and I use it for TOTP on most sites (there's a limit to how many entries in the Yubikey 5). You can also store a password in one of it's two slots. My thinking is this: Is it secure to store a base password that is long and complicated, say 40 characters long with all the characters, and use a different "prefix" for each application? Example: On my banking site I type in "bank" then press the Yubikey to type the rest. Same thing with social media and other accounts. Each one has a prefix and I don't know the actual password. Of course I store all passwords, including the Yubikey, in a password manager that's backed up in the cloud (I use KeePassXC).

Your thoughts? Is this secure or stupid?

you are viewing a single comment's thread
view the rest of the comments

[-] MajorHavoc@programming.dev 12 points 8 months ago* (last edited 8 months ago)

I say go for it.

If you're working on something sensitive enough that a Yubikey isn't good enough security, then the team you're working with should be enforcing other protections like MFA, which mitigate the algorithm risks.

Obliviously, if you get a chain fraudulent MFA requests, change your password approach, though.

Otherwise, it beats what most people are doing by a long way. Casual attacks are going to go through Karen in accountings weak password, not reverse engineering your Yubikey.

Edit: Your prefix length matters here, though. You don't want it to be so short that it volunteers for more scrutiny in a breached data set.

Edit 2: Marcos makes a great point about putting yourself in a position where, when you change your password, it's necessarily extremely similar to previous passwords. That's not great.

this post was submitted on 12 Mar 2024

39 points (93.3% liked)

Cybersecurity

5683 readers

4 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Be respectful. Everyone should feel welcome here.
No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
No Ads / Spamming.
No pornography.

Community Rules

Idk, keep it semi-professional?
Nothing illegal. We're all ethical here.
Rules will be added/redefined as necessary.

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !cybersecurity@lemmy.capebreton.social !securitynews@infosec.pub !netsec@links.hackliberty.org !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 1 year ago

MODERATORS

kid@sh.itjust.works

Lanky_Pomegranate530@midwest.social