> On Feb 17, 2025, at 9:57 AM, Xavier Tilley <[log in to unmask]> wrote:



> On the topic of passwords, having one secure password isn't enough. If it gets exposed (and chances are it will) then all of your accounts are vulnerable. Two-factor authentication and unique password for every account are your best bet.

Agreed on the different passwords... but then you start getting into the need for password managers or something when you have literally hundreds of passwords (at a previous job, I had a user account, root account, database root, and database users for multiple machines)

You can use some tricks, like if all of the passwords are within the same security zone (same company, same administrators, etc), you can use a base password and then add something as prefix or suffix to make it unique.

So my example of the databases that used multiple passwords for reading and writing tables... the read-only account had the base password, and the writing ones had 4+ additional characters at the end.

Also consider how bad it would be if someone got into an account... I have a few permutations of a 'throwaway' password that I use for websites that just need me to register ... but my banking passwords are all unique and never recycled.

(a lot of breaches have happened because someone managed to steal a password file, then once they knew what common password and techniques were to make passwords, they can write better software to brute force logins... so for instance 4 digit pins that are day/month combinations, years since 1900, or patterns are MUCH more common... But only 4 digits should be considered insecure at this point, anyway)

And for those that haven't seen it... Charles was commenting about random words for passwords... That comes from XKCD, but the entropy isn't quite as high as he thinks because there are only so many combinations of letters that make words... that's why I suggested using words from multiple languages:

https://xkcd.com/936/?correct=horse&battery=staple

-Joe

(unaffiliated)