SEARCH

How-To Geek

If One of My Passwords Is Compromised Are My Other Passwords Compromised Too?

If one of your passwords is compromised, does that automatically mean that your other passwords are also compromised? While there are quite a few variables at play, the question is an interesting look at what makes a password vulnerable and what you can do to protect yourself.

Today’s Question & Answer session comes to us courtesy of SuperUser—a subdivision of Stack Exchange, a community-drive grouping of Q&A web sites.

The Question

SuperUser reader Michael McGowan is curious how far reaching the impact of a single password breach is; he writes:

Suppose a user uses a secure password at site A and a different but similar secure password at site B. Maybe something like mySecure12#PasswordA on site A and mySecure12#PasswordB on site B (feel free to use a different definition of “similarity” if it makes sense).

Suppose then that the password for site A is somehow compromised…maybe a malicious employee of site A or a security leak. Does this mean that site B’s password has effectively been compromised as well, or is there no such thing as “password similarity” in this context? Does it make any difference whether the compromise on site A was a plain-text leak or a hashed version?

Should Michael worry if his hypothetical situation comes to pass?

The Answer

SuperUser contributors helped clear up the issue for Michael. Superuser contributor Queso writes:

To answer the last part first: Yes, it would make a difference if the data disclosed were cleartext vs. hashed. In a hash, if you change a single character, the entire hash is completely different. The only way an attacker would know the password is to brute force the hash (not impossible, especially if the hash is unsalted. see rainbow tables).

As far as the similarity question, it would depend on what the attacker knows about you. If I get your password on site A and if I know you use certain patterns for creating usernames or such, I may try those same conventions on passwords on sites you use.

Alternatively, in the passwords you give above, if I as an attacker see an obvious pattern that I can use to separate a site-specific portion of the password from the generic password portion, I will definitely make that part of a custom password attack tailored to you.

As an example, say you have a super secure password like 58htg%HF!c. To use this password on different sites, you add a site-specific item to the beginning, so that you have passwords like: facebook58htg%HF!c, wellsfargo58htg%HF!c, or gmail58htg%HF!c, you can bet if I hack your facebook and get facebook58htg%HF!c I am going to see that pattern and use it on other sites I find that you may use.

It all comes down to patterns. Will the attacker see a pattern in the site-specific portion and generic portion of your password?

Another Superuser contributor, Michael Trausch, explains how in most situations the hypothetical situation isn’t much cause for concern:

To answer the last part first: Yes, it would make a difference if the data disclosed were cleartext vs. hashed. In a hash, if you change a single character, the entire hash is completely different. The only way an attacker would know the password is to brute force the hash (not impossible, especially if the hash is unsalted. see rainbow tables).

As far as the similarity question, it would depend on what the attacker knows about you. If I get your password on site A and if I know you use certain patterns for creating usernames or such, I may try those same conventions on passwords on sites you use.

Alternatively, in the passwords you give above, if I as an attacker see an obvious pattern that I can use to separate a site-specific portion of the password from the generic password portion, I will definitely make that part of a custom password attack tailored to you.

As an example, say you have a super secure password like 58htg%HF!c. To use this password on different sites, you add a site-specific item to the beginning, so that you have passwords like: facebook58htg%HF!c, wellsfargo58htg%HF!c, or gmail58htg%HF!c, you can bet if I hack your facebook and get facebook58htg%HF!c I am going to see that pattern and use it on other sites I find that you may use.

It all comes down to patterns. Will the attacker see a pattern in the site-specific portion and generic portion of your password?

If you’re concerned that you current password list isn’t diverse and random enough, we highly recommend checking out our comprehensive password security guide: How To Recover After Your Email Password Is Compromised. By reworking your password lists as if the mother of all passwords, your email password, has been compromised, it’s easy to quickly bring your password portfolio up to speed.


Have something to add to the explanation? Sound off in the the comments. Want to read more answers from other tech-savvy Stack Exchange users? Check out the full discussion thread here.

 

Jason Fitzpatrick is warranty-voiding DIYer and all around geek. When he's not documenting mods and hacks he's doing his best to make sure a generation of college students graduate knowing they should put their pants on one leg at a time and go on to greatness, just like Bruce Dickinson. You can follow him on if you'd like.

  • Published 12/20/12

Comments (8)

  1. exit

    You quoted the same answer twice.

  2. nt0xik8ed

    redundancy is key to remembrance, i think…

  3. Ruja

    ^ this, and it is key in my field: aerospace engineering. :)

  4. Sirmentio

    You can try this site to check if it is secure:
    http://howsecureismypassword.net/

  5. Balázs

    Yes,they are.
    If you’re afraid that there is a hole on your online security,the best thing to do is change all your passwords.

  6. dwn

    Were basically talking about an attack specifically directed against you. It strikes me that most people hacking accounts (apart from celebrities and OCDs) are really just going to grab thousands of usernames/passwords and then just use a script to fire it into 100 different services rather than take any time to interpret the data, and its generally going to result in the success of a lot more compromised user accounts. It seems to me this is more a question of turn over rather than overall security.

  7. StevenTorrey

    But with the vitriol so often found on the internet, one can never be certain that the right combination of insult, psycho, and computer genius–could not take the time to search out the respondent’s true identity and then attempt a cyber attack on that person’s computer, and computer presence–like bank accounts, etc…. In other words, hacking into a respondent’s computer just for revenge…because someone didn’t like the response, or because the response was insulting…

    While most couldn’t do it, I often times think tracking down an individual and hacking that computer is as easy as pie… I am only moderately comforted knowing that a brute force attack still takes a tremendous amount of time… But still…

  8. TheFu

    Michael Trausch is a friend AND pretty smart, though I disagree with his “super secret password” – it is much, much, much too short. It can be brute forced in less than 2 days.

    The best password is the one that you don’t know. It should:
    * be as long and complex as possible. Avoid using words.
    * be used for only 1 login, never shared.
    * use as many different types of characters (alpha, punctuation, numeric, spaces, special characters) as possible.
    * be stored in an encrypted password manager – like KeePassX or KeePass
    * avoid using any passwords or patterns that have ever been leaked before.

    The easy way to accomplish all this is to let KeePassX generate AND store passwords for you. I used to have all sorts of reasons for not using a password manager, then I tried KeePassX for a week. I’ll never go back to any other method.

    Still, I have to memorize 3 passwords – home login, work login and to access the KeePass DB. For those three, I use completely different, long, passphrases. There is no substitute for length.

    How long? At least 20 characters.

    Just know that if anyone has physical access to the PC, your passwords mean NOTHING unless you use full-disk encryption. This is true for every OS.

Enter Your Email Here to Get Access for Free:

Go check your email!