So I’ve been trying to create more secured passwords now that I have employment where I have responsibility. They require us to change our passwords every 3 months. I used to use the same passwords for multiple sites. Then I used a password manager and got rid of those memory passwords. With this job I don’t want to mix my personal password manager with my work computer and I also don’t want to remember a complicated 15 character long password to log in every day.
That brings me to my question. I’ve been using Yubikeys for years. I store a challenge response, use it for 2FA on all sites that allow, and I use it for TOTP on most sites (there’s a limit to how many entries in the Yubikey 5). You can also store a password in one of it’s two slots. My thinking is this: Is it secure to store a base password that is long and complicated, say 40 characters long with all the characters, and use a different “prefix” for each application? Example: On my banking site I type in “bank” then press the Yubikey to type the rest. Same thing with social media and other accounts. Each one has a prefix and I don’t know the actual password. Of course I store all passwords, including the Yubikey, in a password manager that’s backed up in the cloud (I use KeePassXC).
Your thoughts? Is this secure or stupid?
My understanding is that it’s debated whether password algorithms are a good idea, but personally, I wouldn’t use them because if someone figures out one password, they can figure out the rest. Why not just use a new KeePass database on your work computer? If you don’t want to memorize a string of random characters for the master password, why not use a passphrase of random space-separated words?
This. And “figuring out one password” can mean stealing it from some 3rd party server with bad security practices. The password complexity and the other OP’s practices aren’t relevant.
You also can’t change passwords easily, what again is a problem on those sites that have bad security practices.
It’s possible to make an algorithmic derived password that doesn’t have that first flaw (losing one doesn’t lead to losing all), but the second one will always be around.
I may not have been clear in my original post. My work computer does have it’s own KeePass database. This question is for my use of a Yubikey on multiple sites. For clarification I use a separate Yubikey to store my work computer credentials that I back up to my personal Keepass database (can’t access the work database if I’m locked out). I do this because of the requirement to change passwords every three months and I don’t want to reuse the limited passwords I remember so I use a password generator.
My question is with using a “prefix” with my personal Yubikey (the one I don’t use for work). Specifically, even if the last 40 characters is from a generator configured to generate a high entropy excellent quality password if I use that password with a different “prefix” (different lengths too) for different sites then would it really be compromised if one site gets hacked? They are different passwords, different hashes, different entropy. It’s just a large part is the same. I don’t know much about security I just want to know if this is a risk. I’m trying to move my security from something that I memorize to something that I physically have and know.