2

I currently use the SHA-3 Hash Algorithms to create passwords through a given Set of Characters. The User Flow:

  • User enters his Masterpassword (M), Sitename (S), Password length (PL) and choose the Characters the password should have (C).
  • sha(sha3(M+S+C)+PL)
  • the binary Result will then mapped to the choosen Characters.
    • if the Characters from 'a' till 'z' are used a 0000 0000 Byte will be a 'a', a 0000 1111 Byte would be a 'p' and a 0001 1010 Byte will be a 'a'

Is this use of SHA-3 safe to use or will I created a Loophole which can be used to "guess" Passwords or much worse: get the Masterpassword.

Here a Link to the Sourcecode

Serverfrog
  • 586
  • 7
  • 18
  • 1
    [Please just use a password manager.](http://crypto.stackexchange.com/questions/5689/a-single-password-manager-vs-password-generator-hash) – Stephen Touset Feb 25 '17 at 05:13
  • No because of this Problems: you need always the Database file. That means you must sync it to all devices which should be able to use the Passwords. When a Mobile device is used the Database is also lost and a Offline Brute Force could be made. When used Online Password Managers we must not discuss any further. Further more i use, so i think, not a very fast hashing method so a Bruteforce Attack is also slowed down. Other Points from this Answer are no Possible Password Change, i think i create a System where this is nearly Possible – Serverfrog Feb 26 '17 at 15:21
  • Offline brute force is entirely mitigated if you use *one* strong passphrase to protect your password manager. Feel free to go against the repeated [advice of security professionals](https://arstechnica.com/security/2015/07/what-amateurs-can-learn-from-security-pros-about-staying-safe-online/) though. You are not the first person to go this route, and you will not be the last to [realize that it's a mistake](https://news.ycombinator.com/item?id=13016420) due to an [ever-growing list of flaws](https://tonyarcieri.com/4-fatal-flaws-in-deterministic-password-managers). – Stephen Touset Feb 26 '17 at 22:54

2 Answers2

2

From an information security perspective, you should consider your scheme public, as per Kerchkoff's principle, even more so since you disclosed your source code. Thus the security of your generated password are reduced to the security of their input. The algorithm chosen is irrelevant as an attacker would choose the input and use your algorithm to generate the password.

So let's evaluate the security of your inputs:

  • Master password: If an attacker find it, all your passwords are compromised. Do not reuse your passwords.
  • Site name: This is public knowledge, it doesn't increase security.
  • Password length: Contains very few entropy. It's almost useless.
  • Available characters: I guess you always use the same ones or use all the characters allowed by the website, as doing otherwise would be very inconvenient. Thus it is equivalent as a second small master password.

So, basically your scheme hash public information with a master password. An attacker only needs to successfully brute-force one of your generated passwords to recover your master password and then be able to easily find the other generated passwords.

A better solution would be to randomly generate your passwords. This way, they cannot leak information about the others. You could then save them in an encrypted file or database. You would only need to remember the master password of encrypted database, without having to remember the password length or how the website was called before they changed their name. Password managers allow you to do just that.

A. Hersean
  • 10,046
  • 3
  • 28
  • 42
  • but what is then the difference by using a Password Manager and this? in my opinion is when a Password manager is used he only needs to have the Masterpasswort/keyfile so why should this be better? Brute force also applys to that too. A second point is: offline Bruteforce of the Password Manager Database vs Bruteforce to Websites which is then the Only Location where a Password is stored. – Serverfrog Feb 26 '17 at 15:11
  • Password managers use good parameters as their default configuration, such as hashing many times your mater password to unlock the database. You can also use two-factor authentication (at least for some of them). Also, for some websites with special rules for password, you will find that you will have to tweak your scheme, and remember how you tweaked your scheme 6 month later. Your scheme adds useless burden on your memory. – A. Hersean Feb 26 '17 at 21:45
-2

Your proposal is not safe. According to OWASP password storage cheatsheet your function lacks the following defenses:

  • Work factor. There needs to be a cost associated with the hashing function in order to mitigate against brute force attacks.
  • Salt. This is to prevent two or more people with the same password on the same site from having the same hash value. Salt also adds additional entropy without relying on the master password's complexity.

Is there a reason why you aren't using established password key expansion techniques like PBKDF2?

HTLee
  • 1,772
  • 15
  • 30
  • 1
    OP is asking about a password *generation* scheme, not a password *storage* scheme. – Stephen Touset Feb 25 '17 at 05:13
  • You want a password generation scheme that does not require any special storage requirements. Hence the use one way hash functions, but that is not enough (the OWASP explains why). – HTLee Feb 25 '17 at 19:46
  • choose one of the other vaules beside the Master Passwort and you have a Salt. A salt must not be private so these are, in some kind, a Salt. And there is Also work! – Serverfrog Feb 26 '17 at 15:14