如果你的一個密碼被洩露了，這是否意味著你的其他密碼也被洩露了？雖然有相當多的變數在發揮作用，問題是一個有趣的看什麼使密碼易受攻擊，你可以做什麼來保護自己。

今天的問答環節是由SuperUser提供的，SuperUser是Stack Exchange的一個分支，它是一個由Q&a網站組成的社群驅動分組。

問題

超級使用者讀者Michael McGowan很好奇單個密碼洩露的影響有多大；他寫道：

Suppose a user uses a secure password at site A and a different but similar secure password at site B. Maybe something like mySecure12#PasswordA on site A and mySecure12#PasswordB on site B (feel free to use a different definition of “similarity” if it makes sense).

Suppose then that the password for site A is somehow compromised…maybe a malicious employee of site A or a security leak. Does this mean that site B’s password has effectively been compromised as well, or is there no such thing as “password similarity” in this context? Does it make any difference whether the compromise on site A was a plain-text leak or a hashed version?

如果假設的情況發生了，邁克爾應該擔心嗎？

答案

超級使用者貢獻者幫助邁克爾解決了這個問題。超級使用者參與者Queso寫道：

To answer the last part first: Yes, it would make a difference if the data disclosed were cleartext vs. hashed. In a hash, if you change a single character, the entire hash is completely different. The only way an attacker would know the password is to brute force the hash (not impossible, especially if the hash is unsalted. see rainbow tables).

As far as the similarity question, it would depend on what the attacker knows about you. If I get your password on site A and if I know you use certain patterns for creating usernames or such, I may try those same conventi*** on passwords on sites you use.

Alternatively, in the passwords you give above, if I as an attacker see an obvious pattern that I can use to separate a site-specific portion of the password from the generic password portion, I will definitely make that part of a custom password attack tailored to you.

As an example, say you have a super secure password like 58htg%HF!c. To use this password on different sites, you add a site-specific item to the beginning, so that you have passwords like: facebook58htg%HF!c, wellsfargo58htg%HF!c, or gmail58htg%HF!c, you can bet if I hack your facebook and get facebook58htg%HF!c I am going to see that pattern and use it on other sites I find that you may use.

It all comes down to patterns. Will the attacker see a pattern in the site-specific portion and generic portion of your password?

另一位超級使用者撰稿人Michael Trausch解釋了在大多數情況下，假設的情況不會引起太多關注：

To answer the last part first: Yes, it would make a difference if the data disclosed were cleartext vs. hashed. In a hash, if you change a single character, the entire hash is completely different. The only way an attacker would know the password is to brute force the hash (not impossible, especially if the hash is unsalted. see rainbow tables).

As far as the similarity question, it would depend on what the attacker knows about you. If I get your password on site A and if I know you use certain patterns for creating usernames or such, I may try those same conventi*** on passwords on sites you use.

Alternatively, in the passwords you give above, if I as an attacker see an obvious pattern that I can use to separate a site-specific portion of the password from the generic password portion, I will definitely make that part of a custom password attack tailored to you.

As an example, say you have a super secure password like 58htg%HF!c. To use this password on different sites, you add a site-specific item to the beginning, so that you have passwords like: facebook58htg%HF!c, wellsfargo58htg%HF!c, or gmail58htg%HF!c, you can bet if I hack your facebook and get facebook58htg%HF!c I am going to see that pattern and use it on other sites I find that you may use.

It all comes down to patterns. Will the attacker see a pattern in the site-specific portion and generic portion of your password?

如果您擔心您當前的密碼列表不夠多樣和隨機，我們強烈建議您檢視我們全面的密碼安全指南：如何在您的電子郵件密碼被洩露後恢復。透過重新修改你的密碼列表，就好像所有密碼的母親，你的電子郵件密碼，已經被洩露了一樣，很容易讓你的密碼組合快速更新。

有什麼要補充的解釋嗎？在評論中發出聲音。想從其他精通技術的Stack Exchange使用者那裡瞭解更多答案嗎？在這裡檢視完整的討論主題。