If a password is compromised, is a "similar" password also compromised?

security passwords password-protection

To answer the last part first: Yes, it would make a difference if the data disclosed were cleartext vs. hashed. In a hash, if you change a single character, the entire hash is completely different. The only way an attacker would know the password is to brute force the hash (not impossible, especially if the hash is unsalted. see rainbow tables).

As far as the similarity question, it would depend on what the attacker knows about you. If I get your password on site A and if I know you use certain patterns for creating usernames or such, I may try those same conventions on passwords on sites you use.

Alternatively, in the passwords you give above, if I as an attacker see an obvious pattern that I can use to separate a site-specific portion of the password from the generic password portion, I will definitely make that part of a custom password attack tailored to you.

As an example, say you have a super secure password like 58htg%HF!c. To use this password on different sites, you add a site-specific item to the beginning, so that you have passwords like: facebook58htg%HF!c, wellsfargo58htg%HF!c, or gmail58htg%HF!c, you can bet if I hack your facebook and get facebook58htg%HF!c I am going to see that pattern and use it on other sites I find that you may use.

It all comes down to patterns. Will the attacker see a pattern in the site-specific portion and generic portion of your password?


It really depends on what you're getting at!

There are an arbitrary number of methods for determining whether a password is similar to another one. Let's say for example that you use a password card, and that somehow someone else has the same one (or simply knows which one you have). If they compromise one of your passwords and can see that it's just a row down the password card, they're likely to guess (maybe even correctly) that your passwords are all derived from that card in a similar fashion.

But, for most things this really isn't an issue at all. If your password on service A differs from the password on service B by only a single character, and both services are secure (e.g., store salted hashes for your password instead of the straight hash or the plaintext itself) then it is “computationally infeasible” to determine whether the passwords are similar, let alone how similar they are.

A short answer is this: If your passwords follow any sort of pattern, then yes, it is likely that the compromise of one password will lead to the compromise of others. However, that doesn't mean that it's going to be feasible to do so. As long as you:

  1. Never use the same password for more than one service,
  2. Introduce some random (even if only slightly) element into the generation of your passwords, and
  3. Never transmit or save your passwords in cleartext

You should be just fine. And remember to always have different passwords for different services—don't simply use the same password for everything, and do not even use the same password twice. It is important to guard against stupid companies that refuse to follow best practices when it comes to the storage of user data such as passwords.

Related

3.5mm Analog Audio vs. Bluetooth Audio Quality
What is the difference between a directory and a folder? [duplicate]
Custom bash tab completion
How to cancel a shutdown /t command in Windows?
How do I start in bash when ssh'ing into my server?
sudo vs gksudo. difference?
How to fix "/lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.14' not found"?
How to simulate a full outer join in Excel?
Photoshop How to save selection to PNG
Mouse wheel scrolls the page down then up, or up then down
Make Gnome screen lock after 1 hour, not 15 minutes?
Disable kwallet popups from chrome