如果你的一个密码被泄露了，这是否意味着你的其他密码也被泄露了？虽然有相当多的变量在发挥作用，问题是一个有趣的看什么使密码易受攻击，你可以做什么来保护自己。

今天的问答环节是由SuperUser提供的，SuperUser是Stack Exchange的一个分支，它是一个由Q&a网站组成的社区驱动分组。

问题

超级用户读者Michael McGowan很好奇单个密码泄露的影响有多大；他写道：

Suppose a user uses a secure password at site A and a different but similar secure password at site B. Maybe something like mySecure12#PasswordA on site A and mySecure12#PasswordB on site B (feel free to use a different definition of “similarity” if it makes sense).

Suppose then that the password for site A is somehow compromised…maybe a malicious employee of site A or a security leak. Does this mean that site B’s password has effectively been compromised as well, or is there no such thing as “password similarity” in this context? Does it make any difference whether the compromise on site A was a plain-text leak or a hashed version?

如果假设的情况发生了，迈克尔应该担心吗？

答案

超级用户贡献者帮助迈克尔解决了这个问题。超级用户参与者Queso写道：

To answer the last part first: Yes, it would make a difference if the data disclosed were cleartext vs. hashed. In a hash, if you change a single character, the entire hash is completely different. The only way an attacker would know the password is to brute force the hash (not impossible, especially if the hash is unsalted. see rainbow tables).

As far as the similarity question, it would depend on what the attacker knows about you. If I get your password on site A and if I know you use certain patterns for creating usernames or such, I may try those same conventi*** on passwords on sites you use.

Alternatively, in the passwords you give above, if I as an attacker see an obvious pattern that I can use to separate a site-specific portion of the password from the generic password portion, I will definitely make that part of a custom password attack tailored to you.

As an example, say you have a super secure password like 58htg%HF!c. To use this password on different sites, you add a site-specific item to the beginning, so that you have passwords like: facebook58htg%HF!c, wellsfargo58htg%HF!c, or gmail58htg%HF!c, you can bet if I hack your facebook and get facebook58htg%HF!c I am going to see that pattern and use it on other sites I find that you may use.

It all comes down to patterns. Will the attacker see a pattern in the site-specific portion and generic portion of your password?

另一位超级用户撰稿人Michael Trausch解释了在大多数情况下，假设的情况不会引起太多关注：

To answer the last part first: Yes, it would make a difference if the data disclosed were cleartext vs. hashed. In a hash, if you change a single character, the entire hash is completely different. The only way an attacker would know the password is to brute force the hash (not impossible, especially if the hash is unsalted. see rainbow tables).

As far as the similarity question, it would depend on what the attacker knows about you. If I get your password on site A and if I know you use certain patterns for creating usernames or such, I may try those same conventi*** on passwords on sites you use.

Alternatively, in the passwords you give above, if I as an attacker see an obvious pattern that I can use to separate a site-specific portion of the password from the generic password portion, I will definitely make that part of a custom password attack tailored to you.

As an example, say you have a super secure password like 58htg%HF!c. To use this password on different sites, you add a site-specific item to the beginning, so that you have passwords like: facebook58htg%HF!c, wellsfargo58htg%HF!c, or gmail58htg%HF!c, you can bet if I hack your facebook and get facebook58htg%HF!c I am going to see that pattern and use it on other sites I find that you may use.

It all comes down to patterns. Will the attacker see a pattern in the site-specific portion and generic portion of your password?

如果您担心您当前的密码列表不够多样和随机，我们强烈建议您查看我们全面的密码安全指南：如何在您的电子邮件密码被泄露后恢复。通过重新修改你的密码列表，就好像所有密码的母亲，你的电子邮件密码，已经被泄露了一样，很容易让你的密码组合快速更新。

有什么要补充的解释吗？在评论中发出声音。想从其他精通技术的Stack Exchange用户那里了解更多答案吗？在这里查看完整的讨论主题。