0

When I was searching for a password manager to use I stumbled upon the concept of Master Password which instead of encrypting and saving your passwords, generates them by using your master password and the name of the service/website you use it for. This way your passwords don't have to be stored anywhere since they are generated every time you enter your master password in the app. I liked this concept but I wanted to try making my own app for this.

So what I thought of is basically:

  1. get master password and service url from the user
  2. add the strings together
  3. create a hash of this string using SHA-512
  4. use this hash as the seed for a PRNG that generates the password

Now my question: If you use a good master password, would there be any security risks concerning this concept?

  • Pretty sure there are some questions here about this... Let me ask you a usability question though: how will you handle websites that require you to rotate your password, or how will your change your password for a site if needed? – Conor Mancone Apr 28 '20 at 19:20
  • Similar questions: [How secure is this hash-based personal password scheme?](/q/230703/129883), [What are the cons of stateless password generators?](/questions/214301/) and [Is this idea for a password manager secure? If so, why doesn't anybody use it?](/questions/94106/) – Fire Quacker Apr 28 '20 at 19:32
  • @ConorMancone In that case I would add an input for a number which alters the password. That number would then be stored in a file (with the service that you need the new password for) but you're right, that would be kinda impractical. This idea definitely has its downsides... –  Apr 28 '20 at 20:30

1 Answers1

2

This password manager have the downsides of making formulas for creating passwords, and lacks the flexibility of a proper password manager.

The most obvious issue is that the passwords are deterministic. It means that if you come across a website that forces you to use exact one digit on the password, you cannot use your password manager to generate it, as you don't control any aspect of the generation process.

The second issue is that you cannot easily rotate passwords. If any of the passwords leaks or expires, you will have to code workarounds for each one.

The last one is that the master password cannot be changed, or it invalidates every single password you have. You have to change every password on every site, and that is bothersome, to say the least.

What could you do? For an experiment, not for real: create passwords using random generator (may it be chars, words, or a mix), encrypt them using a symmetric key, and use the master password to encrypt the symmetric key.

This way you can change any password at will, and encrypt just the changed password. You can change the master password by decrypting the current symmetric key, generating a new master password, encrypting the symmetric key with it, and saving it back.

But unless you are a very talented programmer with a broad knowledge on cryptography and secure programming, don't write a password manager that will be used by anyone but yourself.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142