Using an in-browser tabula recta to generate passwords

Question

I've been working on an idea for a stateless password manager, inspired by this blog post. I'm using a in-browser pseudo-random number generator (seedrandom.js) seeded with a user's master password to create a unique (?) 26x26 tabula recta of characters. The user then chooses a starting point for each website and follows a chosen pattern across the grid to create/access their passwords.

Seedrandom.js uses the RC4 (RC4-drop[256]) stream cipher, which I don't think is considered secure for encrypting information anymore. Q1: Does this matter if I'm only using it as the source of randomness for a 26x26 grid of characters that won't ever pass over a network (everything is generated client side in the browser)?

Q2: Also, what's your analysis of the strength of this system against an attack, both before and after the master password for a user's grid has been exposed? This previous question talks about possible attacks on a tabula recta, but answers focus mainly on keeping the physical token safe, which doesn't apply here.

These are my back of the envelope calculations:

Before master password is known, guessing a 16 character password:

log_2(88^16) = ~103 bits of entropy, which will take a very long time to crack in any context.

After master password is known, brute forcing a password from the grid:

(26*26 cells) * (20 common patterns) * (8 pattern directions, including diagonals) * (20 potential password lengths, 10-30chars) = ~2 million options

So on average this would take about 2 million/2 = 1 million guesses to crack. Depending on the context, this would be cracked in anywhere from ~400 days (rate limited web form, 100 guesses/hr) to << 1 second (database leak, fast hashing algorithm, 1e10 guesses/second).

There's a basic demo of this project here.

Answer 1

Your system would probably work in theory, but seems significantly flawed in practice. There are several practical weaknesses in the way it will be used:

1. You don't describe how you will convert the master password to the seed for the RNG. This is potentially a weak point.
2. You haven't specified how users will associate a starting point with a particular site. Without a way to save this, it will be impossible to use. Depending on a user's memory will lead to password reuse.
3. Users will tend to pick the same or a small number of starting points in the tabula recta based on human tendency, significantly reducing your entropy.
4. A tabula recta involves more manual work than users will actually want to use in practice.
5. RC4 has biases in the initial keystream. If this is not corrected for in your RNG, this will insert biases into your tabula recta.
6. You do not provide a good way for users to rotate passwords other than picking a new starting point for that site. Combined with #2, this will make it even harder for users to remember the starting point for a given site.

Answer 2

a 26x26 grid of characters that won't ever pass over a network

This is not entirely true. Every password exposes a little bit of this grid. If the attacker obtains one password he has a part of your grid and can use that to try to brute-force your master password.

To make brute-forcing the master password harder you could use a key derivation function such as PBKDF2, so that the grid is based on seedrandom(pbkdf2(master_password)). This slows down brute-force attacks and makes any insecurities in RC4 irrelevant.