If one of your passwords is compromised, does that automatically mean that your other passwords are also compromised? While there are quite a few variables at play, the question is an interesting look at what makes a password vulnerable and what you can do to protect yourself.
Today’s Question & Answer session comes to us courtesy of SuperUser—a subdivision of Stack Exchange, a community-drive grouping of Q&A web sites.
The Question
SuperUser reader Michael McGowan is curious how far reaching the impact of a single password breach is; he writes:
Should Michael worry if his hypothetical situation comes to pass?
Suppose then that the password for site A is somehow compromised…maybe a malicious employee of site A or a security leak. Does this mean that site B’s password has effectively been compromised as well, or is there no such thing as “password similarity” in this context? Does it make any difference whether the compromise on site A was a plain-text leak or a hashed version?
The Answer
SuperUser contributors helped clear up the issue for Michael. Superuser contributor Queso writes:
Another Superuser contributor, Michael Trausch, explains how in most situations the hypothetical situation isn’t much cause for concern:
As far as the similarity question, it would depend on what the attacker knows about you. If I get your password on site A and if I know you use certain patterns for creating usernames or such, I may try those same conventions on passwords on sites you use.
Alternatively, in the passwords you give above, if I as an attacker see an obvious pattern that I can use to separate a site-specific portion of the password from the generic password portion, I will definitely make that part of a custom password attack tailored to you.
As an example, say you have a super secure password like 58htg%HF!c. To use this password on different sites, you add a site-specific item to the beginning, so that you have passwords like: facebook58htg%HF!c, wellsfargo58htg%HF!c, or gmail58htg%HF!c, you can bet if I hack your facebook and get facebook58htg%HF!c I am going to see that pattern and use it on other sites I find that you may use.
It all comes down to patterns. Will the attacker see a pattern in the site-specific portion and generic portion of your password?
If you’re concerned that you current password list isn’t diverse and random enough, we highly recommend checking out our comprehensive password security guide: How To Recover After Your Email Password Is Compromised. By reworking your password lists as if the mother of all passwords, your email password, has been compromised, it’s easy to quickly bring your password portfolio up to speed.
As far as the similarity question, it would depend on what the attacker knows about you. If I get your password on site A and if I know you use certain patterns for creating usernames or such, I may try those same conventions on passwords on sites you use.
Alternatively, in the passwords you give above, if I as an attacker see an obvious pattern that I can use to separate a site-specific portion of the password from the generic password portion, I will definitely make that part of a custom password attack tailored to you.
As an example, say you have a super secure password like 58htg%HF!c. To use this password on different sites, you add a site-specific item to the beginning, so that you have passwords like: facebook58htg%HF!c, wellsfargo58htg%HF!c, or gmail58htg%HF!c, you can bet if I hack your facebook and get facebook58htg%HF!c I am going to see that pattern and use it on other sites I find that you may use.
It all comes down to patterns. Will the attacker see a pattern in the site-specific portion and generic portion of your password?
Have something to add to the explanation? Sound off in the the comments. Want to read more answers from other tech-savvy Stack Exchange users? Check out the full discussion thread here.