[SwellJoe]

I think you're missing the point of something like SHA1_pass: A different passphrase for every site. In the case of SuperGenPass, it hashes the site with the passphrase, making a unique passphrase for every domain. In the case of SHA1_pass, I would do something like, "My wacky passphrase 123 facebook.com" and "My wacky passphrase 123 google.com", etc. if I were to use it.

The sentence is only a piece of the hashed value, while some unique thing about what you're logging into is the rest of it. So, using "My wacky passphrase 123 facebook.com" as my password directly on facebook.com would mean that anyone with malicious intent and access to facebook.com code could easily figure out that every website where I have an account is "My wacky passphrase 123 sitename.tld". Strong password failure. The one-way hashed version of that has no meaning to the sites I log in to.

So, original sentence has very low security value, while a hashed version of it (assuming a unique piece for every site or service) has very high security value, even if the actual password generated is less strong than the original sentence from a purely "number of possibilities" perspective.

Of course, if you always use the exact same passphrase, and thus the same resulting password, your math would make sense...but the likelihood of an exploit is far more likely to come from people behind one of the sites you use sniffing your password, than from a brute force attack, in either case.

[_b8r0]

As I understand it, SHA1_pass does the following (please correct me if I'm wrong or missing anything out):

* Takes a user supplied passphrase

* Makes a SHA-1 hash of the supplied passphrase

* Encodes the resulting hash in a variety of ways

I don't see where a different passphrase for every site comes in. You seem to be saying that you would append the site if you were to use it - you wouldn't need a tool like SHA1_pass to do that though.

I guess where I'm coming from is that I don't see what SHA1_pass does that provides any benefit over something like 1password or password gorilla, both of which can generate random passwords for arbitrary accounts.

Following your example, if I obtain your password on site A, then I get a hex|base32|base64 representation of a SHA-1 hash. I then put this into something like this (http://www.golubev.com/hashgpu.htm) and crack the SHA-1. I notice your algorithm for creating passwords and do the same. I'm now exactly where I would be if you weren't using your approach for a password on every site.

I appreciate that the SHA-1 element acts as an interesting intermediary, but your method for generating the password is predictable. I think a randomised SHA-1 might be better.

[16s]

Author again. It should be used exactly as SwellJoe Described. The hash of "My Awesome password for Facebook!!!" should only be used on facebook.com. "My Awesome password for Twitter!!!" and so on.

The benefit of SHA1_Pass is that you never store, synchronize or backup passwords ever again. It's free, completely open-source and anyone can implement it and other software can be used to generate the hashes. Some of the password storage managers are not that way.