Are algorithmically-generated personal passwords a security risk?

The main issue with a "password generation algorithm" is that the passwords are fixed. You cannot change a single leaked password without changing the algorithm, thus changing every password.

To avoid that, you had to record somewhere the sites using the first version, the ones using the second one (because the password generated by the first leaked), the sites using another one because the algorithm generated a password unacceptable by some site, and so on.

And some sites require you to change your password from time to time. So you would have to take that into account, and record more and more information just to keep in pace with the state of the passwords. And for that, you would need a secure data storage, with encryption, a backup process, something easy to use and easy to be integrated on your online routine.

Losing any of those records would lock you out, and create an Availability Compromise. Leaking it in plaintext would create a Confidentiality Compromise. Corrupting (or forgetting) any of it would create an Integrity Compromise. You need some software specially created for secure storage.

Something like... a password manager.


You seem to think that only a human could figure out your scheme, and that's not necessarily true. Attackers won't just reuse the exact passwords they found, they can also come up with all kinds of tricks, and reverse them.

So let's take your algorithm as an example, and say stackoverflow_rm6Z0$f237db^DGYU3r gets leaked. If I were an attacker, and got a list of all SO-passwords, I'd not only try every password on other sites, I'd also analyze the passwords. So I'd pay attanetion to every password that includes stackoverflow, so, stack, kcats, wolfrevokcats, dysvlpbrtg;pe (that's stackoverflow, but using one key to the right), etc.

So your example would quickly get caught. The attacker probably wouldn't even have to look at you password personally, and a script would be enough to also try out google_rm6Z0$f237db^DGYU3r for a Google-account.

Sure, the password-trying-script needs to be a little more complicated than the version that only tries the exact passwords, but still not terribly hard to write.

Only if you manage to come up with some algorithm that is more complicated than what a hacker could come up with and include in a script, does it add any more security than simple exact reuse.

In addition, if two of your passwords get leaked, the hacking becomes even more trivial. If a script can figure out that two passwords belong to the same person, it's very simple to check them for any similarities, and the space of possible other passwords gets a lot smaller. The attacker needn't even figure out the exact algorithm, just know the common part.


ThoriumBR already covered the issue you will face with keeping track of your algorithmic passwords. But focusing on the presented issue:

  • you are using an algorithm obvious to anyone which sees even one password
  • you don't expect to be targeted individually

The news is, it is not enough not to be important. Attackers won't care. They will compromise anyone they come across. If they have bigger fish at the moment, they may not pay more attention to you for now. Or they could resell you to others.

How they could use your password?

  • they could dump the accounts for a site which didn't even hash their passwords. In 2020.
  • you provided those credentials on a phishing site
  • you registered on an evil website

Literally, what sets you apart from those that used the same password for the compromised account and other sites (which we can expect will be probed first) is just the criminal paying attention and reading your password.

If they extracted just a few dozens of credentials, you can count they will look at them. whereas if they extracted several thousands, and have plenty of working ones, they may not bother. Also note there may be several "recipients" of those credentials. The attacker that extracted them may just sell the list to a different one, which could exploit some of them, classify (depending on the user has an account at, if they were able to crack the password or not, etc.) and resell by pieces. Another one could buy it… It could as well be mixed into a combo with other compromises, reappear years later… And you are betting that at every step nobody realizes. (This would be a bit better if they were rotated periodically, but given the scenario, this it won't be the case)

Are easy-to-guess password generation algorithms any better than exact password reuse for your average user?

If you only care if they are any better, yes, they will be slightly better than repeating the exact same password. But as already mentioned multiple times in this page, use a password manager. Don't close your door with a string just because it's better than a piece of paper saying "please don't enter".

If using a password manager is hard, that is an UI issue, that should be approached and fixed, but that's not a technical problem. Note there are many password managers, some of them commercial. There is room or password managers to "fix their ways" and be even more accessible. still, I would consider learning to use a password manager simpler than having to memorize rm6Z0$f237db^DGYU3r.

If using a password manager software is still too hard (old people, perhaps), despite instructions, having a hard-copy manual, etc. I would suggest using a physical password manager. Simply provide a notebook with already filled random passwords (to sidestep the lack of a proper built-in password generator), and space to input the details on which site it is, username…. It could be organized chronologically or as an address book.

If your threat model does not include physical attackers, this is a perfectly fine solution. And being low-level, it should be simple to learn using.