So I've been trying to create more secured passwords now that I have employment where I have responsibility. They require us to change our passwords every 3 months. I used to use the same passwords for multiple sites. Then I used a password manager and got rid of those memory passwords. With this job I don't want to mix my personal password manager with my work computer and I also don't want to remember a complicated 15 character long password to log in every day.
That brings me to my question. I've been using Yubikeys for years. I store a challenge response, use it for 2FA on all sites that allow, and I use it for TOTP on most sites (there's a limit to how many entries in the Yubikey 5). You can also store a password in one of it's two slots. My thinking is this: Is it secure to store a base password that is long and complicated, say 40 characters long with all the characters, and use a different "prefix" for each application? Example: On my banking site I type in "bank" then press the Yubikey to type the rest. Same thing with social media and other accounts. Each one has a prefix and I don't know the actual password. Of course I store all passwords, including the Yubikey, in a password manager that's backed up in the cloud (I use KeePassXC).
Your thoughts? Is this secure or stupid?
Using a prefix with a 40 char password is not really a good option because if this was compromised because it was let’s say intercepted then the attackers would easily be able to guess that if there is bank_suffix then facebook_suffix might be a good guess.
Really? The example "bank+[40 character password]" was just an example. Obviously I wouldn't use bank for my banking credentials. I was also under the impression that many websites and applications wouldn't store or transmit plaintext passwords (I wouldn't use http for transmitting credentials). I do concede that there is a news story every month about a corporation getting hacked and the user's passwords were stolen and in plaintext so they could compromise me that way. But I don't think hackers are really going after me because I'm broke. The government maybe. This is really just so I can have a convenient way to have a complex password. I can't remember 5 different 15-20 character complex passwords.
I think you have the right idea. You are using "bank" as a salt so the hash should be acceptably secure.
Yes. And every application has a different salt. I really just hope these websites don't store plaintext passwords.