4

Is this [1] a secure and reasonable way to generate a unique password for login on various websites?

echo -n my_strong_master_password#website.com | sha1sum

Of course, if my system is compromised this will leak all passwords, but the same would go for a password manager, if there is a keylogger.

If this is not secure, are there means of improving it, while still keeping it portable?

[1] Source: https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html#c4820917

Simon
  • 163
  • 6
  • 1
    Honestly, while the accepted answer is correct, your command is probably not the best you could be doing. SHA-1 is extremely fast, as are most modern hashing algorithms. You should use something like PBKDF2 or scrypt, not a single invocation of SHA-1. – forest Feb 17 '18 at 21:53

2 Answers2

3

Yes and no.

It depends on the strength of your master password. Since you are using a fast hashing function your master password needs to be even stronger.

The main threat of this scheme is that any website to which you give a password can try to brute-force or dictionary attack your master password. Once they have it they can impersonate you in every other site you use this scheme.

Here are 2 good answers on the subject :

Community
  • 1
Gudradain
  • 6,921
  • 2
  • 26
  • 43
  • Thanks, those links are very useful. It seems the weakness of a password manager (offline bruteforce if the database is stolen) could be slightly alleviated by modifying the password from the database with, e.g., the method from the original post. Then breaking in the database would be harmless, unless my post-hashing method would be known to the attacker as well? But maybe a simpler scheme (adding/removing sections to the password) would do the trick as well? – Simon Oct 29 '15 at 20:35
0

Yes this should be sufficient. Lowercase plus numeric (the output of sha1) gives you a search space of 36 characters. At 40 total characters in a SHA-1 hash, the search space is 1.84 x 10^62. If you take a relatively strong password (upper case, lower case, numeric and specials) of length 8, your search space is 6.70 x 10^15. However, many sites require the use of mixed case and or a special/numeric added so you should probably sneak those in someplace to cover sites that require such input. Also, many sites also limit password length though if you truncate the hash and stick with the maximum allowable password you should be better than the avg user.

You can use GRC Haystack to run some calculations on how quick you can break a password. At a trillion guesses a second the above 8 character example falls in about 1.12 minutes vs 5.84 hundred trillion trillion trillion centuries for your hash.

IMPROVEMENTS: 1) I'd make sure your master password is not a dictionary word or words, contains upper/lower/numeric/special and is completely random. Then add in the website and hash the entire thing. As long as the algorithm is unknown cracking is theoretically impossible. 2) Consider moving to SHA-256 as well as SHA-1 is flawed. 3) Take the 40 character output and use it to create a mixed case + numeric + special password that fits in say 13-15 characters (most sites will fall in this range of max length). It doesn't have to be fancy, i.e. if a numeric pops up then the next alpha is uppercase, if there is a number then insert a special in after it (e.g. if '1' pops up inser a ')', if '2' pops up insert '(')

J Kula
  • 74
  • 2
  • Please do not ever link to GRC. Not only are those calculations of his quite inaccurate, but Gibson in general is a snakeoil salesman with absolutely no respect from the information security community. – forest Feb 17 '18 at 21:46