Re: Password variation scheme a plus in security?

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2008-06-30 Stefan Schmidt wrote:
> I need an opinion. Let's say I have a few hundred web accounts and I
> don't want to remember a few hundred passwords, neither do I want to
> look them up each time I want to access one of the sites, so I'm using
> one (secure) password for all sites. This is obviously not a good
> thing, since when one site gets hacked and they stored their passwords
> in an unsafe manner all others are potentially endangered. The
> Question now is, would it now be an advantage in terms of security in
> this case to use a password variation scheme like replace the third
> character of the password with the second letter of the sites domain
> name advanced five letters in the alphabet? Obviously it would prevent
> immediately successful logins, but does this really increase security?
> My idea is that the hackers have like 100.000 passwords and from these
> maybe 90.000 give them immediate login success at other sites, so they
> might just ignore the 10.000 that don't immediately work. Or is it
> rather standard procedure in hacking attacks to try variations of the
> acquired passwords?

*sigh*

Not this again.

If you don't want to use the same password for all sites, save the
passwords in an encrypted vault (e.g. KeePass [1]) and look them up
whenever needed.

DO NOT USE PASSWORDS DERIVED THROUGH DETERMINISTIC ALGORITHMS. EVER.

Kerckhoff's Principle explains why that is a bad thing.

[1] http://keepass.info/

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq