It’s probably not safe if they use that for everything. Someone could match emails and password suffixes, then they’d only have four letters to brute force. So all it takes is two leaks that your friend is on and they’re at real risk.

Generally, this would be avoided by whatever site storing their passwords as hashes instead of in plain text, but you can’t rely on that.

They should just use a password manager.

I used to do this. Have a system for generating a unique password for each site. But then one site got hacked and I had to reset my password, and I couldn’t use the old password. So I had to make a new system. You see the problem.

I used to use a similar system until I switched to a password manager. Convenience is a big factor, it’s nice to not have to think about logging in. Also coupled with that a secure password is a long password, so not having to type it in is a bonus.

The person says that, since the beginning of the password is unique, its “unhackable”, and that the attacker would need like 3 samples of the password to figure out their system.

I’ve had my data leaked more than 3 times, it’s not an unlikely scenario that someone could get a list of passwords used by someone.

Also once their system is compromised, they have to come up with a new system, then go and change every password. Which if it was me would be hundreds of places. With a password manager there’s no reason not to have completely unique passwords for everything, so if there is a leak, oh well, just change that password.

You can buy leaked passwords from the dark web if you know someone’s email.

So if someone got say 5 passwords from this person and look at them they’d very quickly be able to figure out the pattern and would know all their passwords.

The method they use is safe from scripts etc. But not foolproof

There are two answers to your question.
Most password cracking operations target a database of user accounts in bulk. As long as the hacker is not targeting your friend specifically, they should be fine.
If your friend is the target, one or two successful hacks could make their other passwords vulnerable.

It’s safe until you’re targeted.

Know your enemy:

1. Dictionary attacks
2. Leaked passwords
3. Password guessing attacks

Your “system” is good against 1. but vulnerable against 2., and a bit vulnerable against 3. because of the system.

If you’re using a password on one site you’re trusting that site to keep that password safe, so that only you can access your account.

If you’re using one password everywhere you’re trusting the weakest site to keep your most important account safe, which is obviously a bad idea.

Your friend is trusting the weakest sites he uses (or used at any point in the past) to keep his password scheme safe. Not quite as obviously bad, but to me it doesn’t seem to be a particularly good idea either.

This system is fine. While patterns are obviously easier to hack, having unique passwords for each site and being able to remember them puts your friend in the 90^th percentile of computer users.

For random password dumps going through thousands of accounts it’s probably fine, but if you’re targeted for some reason and they get just a couple passwords. With even just 2 passwords, that system may be obvious already to someone looking to gain access to your accounts specifically.

I reject the premise!

There is no safe or unsafe. It’s more like “more safe for a given person”.

Your friend’s system is better than using the same password everywhere. It’s more difficult to hack than the majority of passwords that aren’t generated by password managers. If that’s what your friend likes and works for them well, fine I guess.

It wouldn’t work for me because:

• it doesn’t input the password for you. Does your friend really type passwords in all the time?
• IDK if my memory is particularly bad but having to remember anything at all is hit and miss. Like I could remember those characters that are used everywhere, but for the router at my mum and dads house that I haven’t accessed in 5 years, was it “mums router” or “router mums house”
• Also I manage multiple passwords for the same sites, as in credentials for my partner or whatever, but I guess I could make variant of this system.
• also if I were to die the person who sorts out all my stuff will have access to my passwords
• but the main reason is… I use my keepassxc db as a database for all sorts of things which aren’t necessarily passwords. ssh keys are a good example. I use it for TOTP. bank card details. membership numbers and government ids. VIN numbers for vehicles. Also, a weird one, I have to keep track of about 100 physical keys for reasons, I stamp a number on them like k32 and then store that number and an explanation of what it’s for in my db.

There’s literally only 4 characters difference between all their passwords, even if those would be completely random, that’s very bad.

They don’t seem to understand that it’s not about how many samples you need to see to be sure what their Amazon password is. The problem is that if one of their passwords ever leaks, some bot can brute-force try thousands of variations on it and find any other password very quickly (they effectively only have to guess 4 characters, plus a bit to find that it’s the first 4 to change).

How can anyone think this is more secure than having completely different and long passwords for every site?

They probably don’t understand that your pw manager’s password is safer because you don’t enter it anywhere, only into your password manager (ideally with 2FA). This person is effectively spreading their master password around by putting it as the core of ALL their passwords, significantly increasing the risk that it leaks.

Better than a lot of other methods. What are you protecting, from who and how annoying would it be to recover if it went wrong. I don’t use a password manager because I’d lose the file for sure and it would be just as inconvenient to recover as if someone hacked me. I also don’t have any sensitive stuff. Work on the other hand I have a password manager.

The lowest hanging fruit is using a leaked/hacked/stolen list of accounts/emails and passwords and trying them on other sites. You should be safe from that.

If you have sensitive information someone would be willing to break the law and spend a few thousands of dollars to get you’re not safe.

I hope you didn’t make their actual basic phrase public.

In my opinion any password that’s designed to be human-friendly isn’t secure. Every crutch one uses to remember it, a machine can make much faster use of.

In this case I’d say the core idea: “SWydThIThBaPl!” is relatively safe, but 690720 is almost immediately recognizable as a date - to a machine! - and amng, leum etc. are even easier assuming the cracking program has knowledge of which site they’re trying to gain access to.

So the only good part is the one that repeats for every password.

I think the top half of this xkcd illustrates some of it; but iirc the bottom half has been sort-of half debunked.

In any case, I use only very long and completely random passwords for online accounts.

Does this person think password managers are crutches? You cannot out-remember a machine.

PS: entropy is not the only measure for password safety.

1. Dictionary attacks
2. Leaked passwords
3. Password guessing attacks

Brute force comes way down the list.

As long as it’s capitalized with a 1! at the end

https://m.youtube.com/watch?v=z_HmDP3lKMI