39

So I've been trying to create more secured passwords now that I have employment where I have responsibility. They require us to change our passwords every 3 months. I used to use the same passwords for multiple sites. Then I used a password manager and got rid of those memory passwords. With this job I don't want to mix my personal password manager with my work computer and I also don't want to remember a complicated 15 character long password to log in every day.

That brings me to my question. I've been using Yubikeys for years. I store a challenge response, use it for 2FA on all sites that allow, and I use it for TOTP on most sites (there's a limit to how many entries in the Yubikey 5). You can also store a password in one of it's two slots. My thinking is this: Is it secure to store a base password that is long and complicated, say 40 characters long with all the characters, and use a different "prefix" for each application? Example: On my banking site I type in "bank" then press the Yubikey to type the rest. Same thing with social media and other accounts. Each one has a prefix and I don't know the actual password. Of course I store all passwords, including the Yubikey, in a password manager that's backed up in the cloud (I use KeePassXC).

Your thoughts? Is this secure or stupid?

you are viewing a single comment's thread
view the rest of the comments
[-] madsen@lemmy.world 2 points 9 months ago

Using a password manager I’d have to copy-paste or remember each password. Not all have a web interface.

Then pick one that has a web interface or a CLI, Bitwarden has both and is free. KeePass databases can be hosted on your NAS and accessed to CLI tools. There are plenty of options. Or use passphrases (which are just as good as—or better than—complex passwords) and just type them? I use Bitwarden for literally each and every password/lock code/PIN that I have, and I have plenty of Pis and other things that don't let me easily log into Bitwarden, but finding "Excentric4-Waxing-Adopted-Giraffe" on one device, and typing it in another really isn't much of a hassle. (Also, why not just SSH into your Pis? Then you only need to worry about accessing a password manager on the machine you're opening the SSH connection from.)

From the comments on this post it seems that you're mostly looking for validation of the idea you originally had rather than actual feedback on how secure that idea is. You're obviously free to manage your passwords exactly as you want, but this idea of a "base password" is objectively less secure than the alternative put forward by many people in these comments, namely to use the Yubikey to log into a good password manager that then handles all the different (completely unique) passwords.

There are always instances where doing things the best and most secure way is more cumbersome, and it's up to you to decide if you want all of your passwords to be poor (and difficult to change, in this case) just because you occasionally need to log into something that doesn't neatly integrate with a password manager.

this post was submitted on 12 Mar 2024
39 points (93.3% liked)

Cybersecurity

5847 readers
20 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Community Rules

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 2 years ago
MODERATORS