Ever since the Lastpass breach (thankfully moved to Bitwarden and recycled passwords prior) I’ve had a heightened awareness of the potential for vulnerabilities beyond my paygrade leading to online catastrophe for me. I use Bitwarden to generate a random password for all sites.
If it’s something which could truly cause a headache such as my email or banking however, I’ll usually append the domain name, or a word, or a symbol to the password such that after my phone or PC’s Bitwarden autofill enters the saved password I also need to enter whichever word or symbol for the site. Feels like this gives me some defense if people smarter than me made a mistake, but I guess I have questions for folks who know about hashing/blackmagic/thecyber.
- Would this have any benefit, if one were to put “google” at the end of their Google password, as far as protecting from a password manager exploit?
- No, I don’t actually put google or reddit at the end of my password; oops not a question
- Is that already something baddies would know to try? Or did I just play myself by posting this on the internet?
Yes, it is something “baddies” would know to try… but most likely wouldn’t.
Your passwords are at risk from:
- Using an easy password like “1234”
- Reusing the same password from a site where it got leaked
- Capturing your password manager’s master password
- Somehow else accessing the decrypted password database
- Directly capturing whatever you type in the password field
- Drugging and torturing you until you tell the password
Your strategy only enhances your security in case 4, where someone would somehow manage to get your unique site password without compromising your system.
Otherwise, you’re compromised with or without it: in cases 1 and 2, it’s your fault; cases 3 and 5 are basically the same case, you’ve got your system compromised and the attacker can capture whatever you type; in case 6, you’re in bigger trouble already.
The likelihood of case 4, is relatively low, since the other cases are easier and/or more effective.
“baddies” usually prefer easy targets. So unless you are high profile you will be fine IMO.
If you’re high profile you should have weekly changing, random, 16+ chars long passphrases that are not stored digitally. At least for the important stuff.
This honestly sounds like a pretty good idea. Things like ransomware attacks / the fappening / anyone who’s had their online banking broken into can tell you that it’s not an academic issue. Using Bitwarden so you’re not using the same password for multiple places sounds like a wonderful idea (necessary tbh), and adding some stuff to it just so it’s not a single point of failure sounds like a sensible additional step that might well have effects in the real world. As others have said in re just adding “google” to the end or something, you don’t need to be bulletproof, but you do need to be a hard enough target that the automated / low-effort attacks that definitely will come, won’t work on you.
Just remember, this is one of those things where “nothing happens” is the desired outcome. There’s a temptation to tell yourself “Well I’m taking these additional steps and it didn’t make a difference,” but you won’t really know if you ever dodge some kind of compromise that would have made a difference – you’ll just have the experience “nothing happened.” But that doesn’t mean it was a waste of time. Nothing is what you wanted to have happen.
What’s the higher likelihood:
- You forget your special ending
- Hackers find one of your plain text passwords which is
p4ssw0rdGOOGLE
AND crack your password vault AND see that the password isn’t there AND determine what your secret scheme is AND think you’re worth spending the effort on?