Disclaimer: This is from a user standpoint. We'll thus assume the target website (say, Paypal or Netflix) already uses a strong hashing algorithm with salts (bcrypt of pbkdf2, for example) and accepts 32-char-long passwords.
Context: let's assume Bob is a user who knows a few things about computers, but isn't an expert. For example, he understands that using strong passwords is a good thing, but he can't remember a long list of complicated passwords. He thus uses only one strong password on all sites, a practice he considers to be risky.
But then it hit him: he doesn't have to remember strong passwords! Instead, he can just remember easy ones and hash them with a simple function to get strong passwords. That way, he doesn't have to worry about database breaches too much, as his stored password would require massive GPU clusters to get cracked in a reasonable amount of time.
This would work this way:
- Go to target website.
- Enter username
- Hash his easy-to-remember password with a fast algorithm to generate a long password
- Enter hashed password and get authenticated by the website.
Question: Would this be a good, or even acceptable practice? Is this something you could advise someone to do? Why/why not?
This relies a bit on a variant of security through obscurity perhaps: the hacker only has to know a simple password was MD5-encrypted to render this uneffective, or even harmful (because the user will tend to use weaker pre-encryption passwords). As such, this wouldn't work on a large scale, ie. you couldn't tell millions of people to do that.
Thanks in advance for your input!