0

So the idea would be to have one master password that is combined with a label (key+hotmail) to create a password specific to that account.

Now I can have one complex password I can remember but different passwords for each account, meaning stolen data cannot compromise multiple accounts.

I suppose if someone knew what my accounts were, had multiple generated passwords and knew the labels for each and knew the method of generation they could reverse engineer my master key?

I am not an expert in this field and this is quite possibly a duplicate. But any other questions I could find that I suspected were asking similar things were using terminology I just wasn't sure about. Apologies in advance :)

Joshua
  • 109
  • 2

1 Answers1

1

I suppose if someone knew what my accounts were, had multiple generated passwords and knew the labels for each and knew the method of generation they could reverse engineer my master key?

If the password generation function is CRC32(master_passphrase||label), it could probably be reverse-engineered.

Now if you use a cryptographically secure hash function, like SHA256, it will be computationally unfeasible to determine the master password.

Security can be further improved by using PBKDF, which uses a cryptographically secure hash function in multiple rounds to slow brute-force attacks (and, possibly, also worsen the complexity of future attacks based on as-yet undiscovered cryptographic weaknesses).

DepressedDaniel
  • 1,240
  • 6
  • 8