This is probably a dumb question. If I use the SHA-256 algorithm to hash "password" and take a subset (say 25 characters) of the result, I get what is considered a very strong password when tested with password strength tools. Does this mean my password is good? A more elaborate version might be to make n passes with the hashing algorithm
I guess you would use as a seed a password that is relatively weak, because I don't see advantage in hashing a password that is already strong* Then it depends if you could keep your method confidential from the adversary. I think that for less important accounts this kind of creative operations may be enough. Well, maybe a little bit customized method. Probably the most important thing about passwords is to not use same password for multiple accounts, so leak from one service can not directly allow adversary to login to other services. *Well, maybe if service/company makes password expire every x weeks/months by policy then this kinds of methods may be good to create new password from a seed that was a previous strong, non-compromised password.
The dumb part of my question is that I literally used "password" as the seed. The irony is that even though a resulting password is relatively strong, if it was obtained by using a ridiculously simple one as a seed to a well known hashing technique, it is truly a strong password? My ultimate scheme would be to store only the seeds in a password manager as a means of extra security. Probably not a sound idea.
Password strength tools aren't really that smart. These programs are based on some assumptions that may or may not be meet by entered password. You should not take their scores literally.
sha-256 is NOT secure https://dusted.codes/sha-256-is-not-a-secure-password-hashing-algorithm and that article is 6 years old. https://en.wikipedia.org/wiki/SHA-2 https://en.wikipedia.org/wiki/SHA-3 currently the length of hash (RSA) is more important https://security.stackexchange.com/...cryption-a-secure-certificate-hashing-algorit HTH
Wow, thanks! That first link definitely answers my original question. A lookup table is a pre-computed table with hash values derived from commonly used passwords and dictionary entries. An attacker can easily match up a lookup table with the compromised hash values and look up the underlying plain text password What I'm really looking for is a practical way to add protection for passwords that are in a password manager (LastPass, 1Password, BitWarden, etc.). My assumption is that if my password manager is somehow hacked, the thief knows my user ids and passwords for everything I store in the password manager, which is very, very bad. If the passwords I store there aren't the real ones but some sort of "code" for the real one, then I have another layer of protection. I'm just not sure what form the "code" needs to take. One idea I had is to have the real password just be the stored one plus a non-trivial prefix or suffix that only I know. Does this make sense? It just seems to me (perhaps naively) that all a thief has to do is fail 4-5 times at accessing my bank account before the built-in protection kicks in and locks the account.
If service supports 2FA by TOTP then use it. I don't think deriving a password is a better idea than 2FA. https://en.wikipedia.org/wiki/Time-based_one-time_password or search "best 2FA authenticator 2022 TOTP" or similar set of words Just remember to backup second factors. You may want to use another password manager (or the same just different file/database) for that.
Thanks. I presume you mean using 2FA for EACH of the accounts that are in the password manager as opposed to 2FA for the password manager itself? Many of my accounts already use 2FA, but just SMS, which I know isn't that great. What I'd really like to see is a paper/summary/assessment that ranks various practical forms of security measures, perhaps on a scale of 1-10. For example, if no 2FA is 1.1/10 and SMS 2FA is 1.15/10, that tells me a lot. Any idea if such paper/comparison exists for us novices? Also, can you elaborate as to what "Just remember to backup second factors" means?
Yes, I mean 2FA for each account. No, I don't know that. Some telecommunications operators in some countries provide additional options against impersonating on support line, so "it depends". Google allows to download additional recovery codes/reserve codes if you enable 2FA via TOTP. For accounts that are added manually to 2FA app (not by QR code) token is visible in plain sight. Backup of that text or even screenshot of that QR code is a backup if recovery codes are not available. It is good to save date and time. Authy allow to replicate TOTP secrets across mobile phones, and tablets (and probably other devices), so you won't loose second factor if you use more than 1 phone and do configure that. BTW I don't think Brummelchen answer was valid in this context. OP doesn't want to build any website with login functionality.
