So I’ve been trying to create more secured passwords now that I have employment where I have responsibility. They require us to change our passwords every 3 months. I used to use the same passwords for multiple sites. Then I used a password manager and got rid of those memory passwords. With this job I don’t want to mix my personal password manager with my work computer and I also don’t want to remember a complicated 15 character long password to log in every day.

That brings me to my question. I’ve been using Yubikeys for years. I store a challenge response, use it for 2FA on all sites that allow, and I use it for TOTP on most sites (there’s a limit to how many entries in the Yubikey 5). You can also store a password in one of it’s two slots. My thinking is this: Is it secure to store a base password that is long and complicated, say 40 characters long with all the characters, and use a different “prefix” for each application? Example: On my banking site I type in “bank” then press the Yubikey to type the rest. Same thing with social media and other accounts. Each one has a prefix and I don’t know the actual password. Of course I store all passwords, including the Yubikey, in a password manager that’s backed up in the cloud (I use KeePassXC).

Your thoughts? Is this secure or stupid?

  • @madsen
    link
    English
    19 months ago

    Why not use the Yubikey for the master password on a KeePass DB (or another password manager) and then use actual different passwords—not just prefixed ones—saved in said password manager for your logins?

    It doesn’t matter if your base password is a 255 character high-entropy annoying-to-type-manually-on-a-phone-keyboard or a 16 character string of alphanumeric characters if you reuse it in a slightly predictable manner. For it to be somewhat secure, the prefix would have to be completely random, which kinda defeats the idea of you being able to remember them. A “base password” is, to be frank, only one small step up from using the same password everywhere.

    And as someone else pointed out, it makes it very difficult to change passwords, which also should be a huge red flag.

    Take a look at the leaks on Have I Been Pwned and see how many of them include either clear text passwords or extremely weakly hashed (perhaps even unsalted) passwords. If you show up in just one or two of those, then you’re in a significantly worse position than you would be had you just used different passwords.