Edit: We're gonna go with 'peppering'-ish. Thanks @anes!
I don't remember who told me this, but the idea was, when creating login using a password manager such as BitWarden, KeePass or LastPass. Generate a password, as usual, but add a word to the end of it that you do not save inside the password manager. For example:
Generated Password:"6JxDnak7bVojkXHNdGsm8U"
Password for the login:"6JxDnak7bVojkXHNdGsm8U" + "monke"
You add this word to the end of all your passwords, but again, you do not save the word in the manager.
It seemed interesting, but I just can’t find what it was called and if it was a good idea. The recent Uber hack reminded me of it, but I doubt it would’ve helped in that particular case.
On the surface it seems nice. The major positive of password managers is that you don’t need to remember hundreds of passwords for just as many sites.
But, if somebody gets in, they have access to everything, and can see everywhere you have an account. Depending on what you store in the manager it could be quite devastating if a bad actor got access.
However, this does mean each time you log in you have to type in the extra word. In addition, not only would you need to remember the master password you would also need this mini-master password.
By having this extra key, the bad actor would only know about everything you have an account for, which is still bad, but couldn't access any of them, as they wouldn’t know what word you add to the end of all your passwords.
Then again, if someone has already compromised your master password, you may not be safe from having your mini master password compromised as well.
Still, it seemed like a fun idea. Depending on where I post this, there may or may not be a comment section, but please let me know if this is a thing, and if it is a thing what it’s called, and if it’s a good thing, bad thing, or neutral thing.
I've unfortunately restricted my knowledge of cybersecurity to the yearly company multiple-choice test that always seems to feature a picture of a person wearing a balaclava mask, indoors, with a laptop that doesn’t have dark mode on.
Thanks for reading, I'll update this post if/when I can.
Top comments (12)
Effectively you are making your master password a little longer? It also protects slightly against a technology failure of the password manager (Lastpass anyone?), while potentially making it difficult to use autofill.
Perhaps there is a variant solution - where part of the master password is used to unlock the database, and part is held in memory (transiently, never stored) to be appended or blended (XOR'ed?) with the stored passwords before they are used or displayed? Might be an interesting PR for the KeePass(XC) teams!
also - good XKCD reference 😄
Yea, I think so. Someone on Twitter called it 'hash salting', but I think that involves the manager itself adding something so two of the same password aren't encrypted the same way. (I say as if I know what I'm talking about xD)
Where as this is keeping the 'salt' in your own head and adding it when you login anywhere.
But yes, it would stop autofills, because you'd always have to do the manual step. Which is a bit of a drawback.
The variant solution sounds interesting and perhaps something I could look into, just for fun.
This is good approach, I keep banking passwords like this. The only issue is that because the password you finally enter will be different from saved password, the browser will always prompt you to update it.
I don't know what it would be called but basically you are storing false information, because you are not storing real password, but a password that is "coincidentally" a subset of actual password.
Personally, I would avoid implementing this type of practice beyond highly-sensitive credentials or secrets as it would create extra work for each workflow involving the password manager. I prefer to just see my Password Manager implement tougher security controls to get in the front door.
That makes sense. Since I'm new to the area, by workflow are there automated use cases with password managers?
Also in this area, is there generally not value in reducing damage if someone gets in the front door? Or does that already exist through others means?
Not fully automated, but yes, it reduces the number of steps you take to fill in your credentials
And it is a risk if they get through the front door, but that’s why you look for Vendors who understand this and take extra steps to mitigate it as an attack vector. 1Password for example has you provide both your password and a secret when authenticating from an unknown device for the first time.
I actually wrote an article about this technique quite recently. It is called "peppering". Then there is also "salting" which adds a random string onto the password. Those techniques aren't used to be hidden from the hacker, but rather to scramble the resulting hash. If you are interested in going a bit more in depth: I have an article about exactly this technique.
Thanks! I gave your article a look. I think peppering is the closet descriptor. Though I guess this is a weird version, since you'd have to add it yourself manually each time you log in anywhere.
Yes, that's what also threw me off, but I think if you really want to search for a "fitting" phrase I would say you can call it "peppering"
Sounds like a hacky variant of 2fa lol
disclaimer not a security expert
The auth types are generally something you know (password, pin), something you are (fingerprint, retina), something you have (phone, hardware key)... 2fa/mfa being when you use two or more of them (like typing a password "something you know" then providing a sms code they send "something you have")
With a pwd manager, your master password is "something you know". So it is a single point of failure if somebody manages to breach your account that way. Another way of thinking about it - a pwd manager exchanges "something you know" for "something you have" by giving you a master key in exchange for your master password. So perhaps this approach is good if you use a pwd manager in an environment where you expect someone to have physical access to your key like in an office, maybe? Seems shaky to me because you'd want the appended password to be secure, too. I guess that would be a tradeoff - "I trust the people who might sit down at my computer, more than the people who might be listening on the internet."
Another situation, maybe a hacker steals your master password. It does make access to your pwd manager less useful for them. I dunno. Safer but by what margin? What are the odds that they figure out the trick? As soon as it's discovered, it's as moot as the master key in the first place. It objectively would be harder to breach with this trick but in that instance, instead of appending another "something you know" at every endpoint, you'd be better to add a different form of auth, like sms protect/google authenticator regularly pinging you when you try to open the manager. Or something else entirely if you're paranoid about sim swap attacks
In the event that the pwd manager itself gets hacked and everyones passwords are in the wild then ya it's a benefit to have the last few characters known only to you. But its also the same benefit (and maybe a bit more secure) to have 2fa where you use those passwords, anyway. Assuming they're randomly generated in the first place, it's all good 😁
Maybe, 2fa where possible, append "-monke" where not? (or where not vital)
Thanks for the comment, I was wondering about the potential benefits as well, or if there even were any.
But, yea I'd forgotten that the other services you'd be using could also have 2fa and your password manager as well.
What got me thinking about this again, were those social engineering 2fa attacks, where the attacker spams a user with requests to login until they approve out of annoyance or something like that.
But I didn't think about how the other services the attacker could get access to could also have 2fa to stop them getting any further. But you're also right, in that not every login has 2fa yet so "monke" could be a thing in those cases.
But as the other comment mentioned, perhaps having a stronger front door could be easier.
I think yes it would make your passwords more secure in case your password manger was compromised, but probably not by a lot. Chances are they will figure it out pretty quickly if they are already clever enough to figure out your master password anyways.
However if data of millions of users were to be made public, changes are noone would bother to go the extra mile just for a handful of users like you. They will probably already be satisfied with (the rest of) what they gathered.