So I’ve been trying to create more secured passwords now that I have employment where I have responsibility. They require us to change our passwords every 3 months. I used to use the same passwords for multiple sites. Then I used a password manager and got rid of those memory passwords. With this job I don’t want to mix my personal password manager with my work computer and I also don’t want to remember a complicated 15 character long password to log in every day.

That brings me to my question. I’ve been using Yubikeys for years. I store a challenge response, use it for 2FA on all sites that allow, and I use it for TOTP on most sites (there’s a limit to how many entries in the Yubikey 5). You can also store a password in one of it’s two slots. My thinking is this: Is it secure to store a base password that is long and complicated, say 40 characters long with all the characters, and use a different “prefix” for each application? Example: On my banking site I type in “bank” then press the Yubikey to type the rest. Same thing with social media and other accounts. Each one has a prefix and I don’t know the actual password. Of course I store all passwords, including the Yubikey, in a password manager that’s backed up in the cloud (I use KeePassXC).

Your thoughts? Is this secure or stupid?

  • Eezyville@sh.itjust.worksOP
    link
    fedilink
    English
    arrow-up
    7
    ·
    10 months ago

    I’m sorry. My original post did not convey my intentions adequately. The fact that I have to change my password every 3 months is what sparked my curiosity and question for my original post. For work I just generate a password using a password manager and store it on a Yubikey that I use for work purposes when I need to update my password. The question in the post is for a personal Yubikey. I started using a generated password on that one and wondered if adding a prefix password to it, changing the prefix for different applications, would be considered secured.