0

I came up with the idea to generate passwords for internet sites by the following shema:

$masterpassword
$hostname
$TLD

hashfunction($TDL.$masterpassword.$hostname)

So the actual password is a hash with a reasonable lenght of characters (depends on the hashfunction, sha512 = 64 chars)

lets say my masterpassword is "ilovesecurity", the hostname is "stackexchange" and the tld is "com". So the plainpass would be "com.ilovesecurity.stackexchange" and the hash (the password I will use on the website):

56100C52CE2B54B38AAB4E354B7826216CD6FCB3B317E7CD442D251FB0F7B378D053E705257AE9EE2D3A787D48CA8D41FB2B31C10FB97C3ACE4E1382D4B9C392

Is this "method" secure and or practicable? If yes, what hashfunction should I use? If no, what can I improve? How can I eliminate the cons?

My pros and cons so far:

Pros:

  • secure?
  • no password manager needed
  • "portable"

Cons:

  • Need to generate the hash (by tool or online hasher)
  • Different password policys on websites
licklake
  • 1,032
  • 1
  • 9
  • 22
  • Secure? Not really anymore. Practical? Not nearly as practical or secure as using a password manager. Besides, what will you do for length and symbol requirements? – Alexander O'Mara Jun 03 '16 at 05:47
  • I will use a hashfunction that generates hashes with symbol. Sha512 was just an example – licklake Jun 03 '16 at 05:54
  • Ok, but some badly designed sites disallow them, while others require them. – Alexander O'Mara Jun 03 '16 at 05:55
  • These badly designed webpages don't have "critical" contents. So I don't realy need super secure passwords for them anyways. – licklake Jun 03 '16 at 06:01
  • 1
    So you wouldn't be able to ever change passwords with this approach? That is a major fluke. – Julie Pelletier Jun 03 '16 at 06:21
  • You got a point. Do you have a solution in mind? Maybe another variable like a number ($n)? Otherwise you had to change the masterpassword now and then. – licklake Jun 03 '16 at 06:25
  • [Stanford PwdHash](https://www.pwdhash.com/) does something similar to your idea. – Sjoerd Jun 03 '16 at 07:05
  • what if the password required is of fixed length,alphanumeric chars. Example: if it requires only 8 digit password which must have one upper case,one lower case,a symbol,and a number ?? – sourav punoriyar Jun 03 '16 at 07:25
  • I have never seen a site with a pw-policy that says that the password has to have exactly 8 digits (that website wouldn't be a safe place anyways).. and about the symbols: I am still searching for a algorithm that fits all these conditions, feel free to suggest one – licklake Jun 03 '16 at 07:29

2 Answers2

0

It's only as secure as the master password. Everything else relies on the the assumption, that the algorithm is not disclosed to an attacker aka security through obscurity. Oh, and you just disclosed your algorithm to the internet.

RonWayn
  • 9
  • 1
  • Well its not. Wordlistatacks are not effective against this method. Also security through obscurity ist always a problem, password managers have that too. The "algorithm" is just an example of my idea to get your thoughts on it, i won't use that productive. – licklake Jun 03 '16 at 06:51
  • Actually, word list attacks *would* be effective against this method. Are you under the misconception that a "word list" is a literal list of single dictionary words that is simply tried one by one as-is? A "word list" also contains things that are not words but are likely (or actual past) passwords and passphrases. In addition, each word is tried not just by itself, but also mangled by various rules; one of which will definitely be mixing it up with the website name, in various orders, and possibly even interspersing the characters. – Ben Jun 16 '16 at 13:46
  • Also, you may be misunderstand the concept of "security through obscurity" when you claim password managers "have that too." A good password manager relies on a *strong master password* which you keep secret, similar to an encryption key, and *modern, strong cryptographic techniques* to keep your data secure. "Security through obscurity" means that if the attacker knows your method, you're doomed. Keeping a password secret is not considered "security through obscurity." Anyone can know your method there; they just can't know your secret password. – Ben Jun 16 '16 at 13:49
0

There are many password "managers" that works in that way. For example Masterpassword app is really close to your idea.

The algorithm is open source so I disagree with @RonWayn. As long as you cannot reverse the algorithm and find the master password with a given used password this should be secure enough.

Lich4r
  • 650
  • 1
  • 6
  • 11