| As I understand it, SHA1_pass does the following (please correct me if I'm wrong or missing anything out): * Takes a user supplied passphrase * Makes a SHA-1 hash of the supplied passphrase * Encodes the resulting hash in a variety of ways I don't see where a different passphrase for every site comes in. You seem to be saying that you would append the site if you were to use it - you wouldn't need a tool like SHA1_pass to do that though. I guess where I'm coming from is that I don't see what SHA1_pass does that provides any benefit over something like 1password or password gorilla, both of which can generate random passwords for arbitrary accounts. Following your example, if I obtain your password on site A, then I get a hex|base32|base64 representation of a SHA-1 hash. I then put this into something like this (http://www.golubev.com/hashgpu.htm) and crack the SHA-1. I notice your algorithm for creating passwords and do the same. I'm now exactly where I would be if you weren't using your approach for a password on every site. I appreciate that the SHA-1 element acts as an interesting intermediary, but your method for generating the password is predictable. I think a randomised SHA-1 might be better. |
The benefit of SHA1_Pass is that you never store, synchronize or backup passwords ever again. It's free, completely open-source and anyone can implement it and other software can be used to generate the hashes. Some of the password storage managers are not that way.