Royce Williams on Nostr: Friends don't let friends use password "systems". If someone tells you they don't use ...
Friends don't let friends use password "systems".
If someone tells you they don't use password managers, but it's "OK" because they can remember them all because "they have a system", show them this.
These are real (obfuscated) runs of cracked passwords, for which the "base word" was discovered, and then combined with other wordlists and brute force on the right-hand side to get the rest.
The right-hand side usually has a clear trend of abbreviated names of the site. Which means that the attacker can guess your password on that other site in just a few tries without even having to break into the server.
All it takes is for the weakest site they use to get compromised, or for an infostealer infection to intercept and leak one variant ... the attacker (or me, emulating one) can see the pattern and get the rest.
It doesnt matter how long or random-looking your "base word" is.
Lose one ... lose them all.
If someone tells you they don't use password managers, but it's "OK" because they can remember them all because "they have a system", show them this.
These are real (obfuscated) runs of cracked passwords, for which the "base word" was discovered, and then combined with other wordlists and brute force on the right-hand side to get the rest.
The right-hand side usually has a clear trend of abbreviated names of the site. Which means that the attacker can guess your password on that other site in just a few tries without even having to break into the server.
All it takes is for the weakest site they use to get compromised, or for an infostealer infection to intercept and leak one variant ... the attacker (or me, emulating one) can see the pattern and get the rest.
It doesnt matter how long or random-looking your "base word" is.
Lose one ... lose them all.