[ninjay]

This is a prime example why you should leave crypto to the experts. This method in no way should be used.

Imagine one of your hashes leaks. A cracker can notice your password was a hash of something and just run their normal attacks on it for leaked password + salt hashes. They don't know the salt exactly, but it will likely be part of the leaking site's url.

Now the cracker can generate your password for any account you have. Great.

Please use Keepass or another password safe to generate pseudo-random hashes. These were designed by experts.

[enoch_r]

But a cracker can't "notice" that your password was a hash of "something" without knowing exactly what that "something" was, because the output of the hash is pseudorandom and isn't distinguishable from a random string.

Sure, they could assume every random-looking cracked password is a hash and try to crack each one, and conceivably discover your master password that way, but depending on your master password's entropy, that can be as unlikely as you need it to be. And the whole point of something like this is that you can use all your memory remembering an extremely high-entropy master password, rather than a large number of medium-entropy single-use passwords.

[ninjay]

When we do an analysis on something like this we assume the method of encryption is fully known. Otherwise it's called 'security through obscurity'[1]. If this method got popular at all crackers would automatically start checking all hash-like passwords.

I'm also completely ignoring what would happen if that site were compromised. A little javascript snippet could just forward all passwords to the hacker's server. Even a browser extension could be compromised if it auto-updates. These are implementation details though that could be fixed/worked around.

[1]https://en.wikipedia.org/wiki/Security_through_obscurity

[btilly]

That is why the pass phrase is required to have a lot of entropy. Even if you know the algorithm used, you're going to have to guess the pass phrase to verify that. And the pass phrase is harder to guess than most people's passwords are.

Aside from the implementation details that you've raised, I'm not finding as many flaws as I expected in it.

[ninjay]

So put that high entropy pass phrase in Keepass and don't worry about a cracker getting access to all your accounts through a misplaced hash. With all these sites getting attacked you have to assume anything you put in a website is public knowledge.

I mean, using a password safe is no more inconvenient than having to go to a website. When set up, the safe can even be a one click auto-fill deal. I don't see any reason to take the added risk.

[btilly]

I'm not recommending this approach. I'm merely saying that it isn't as trivially broken as one would think.

[gtrubetskoy]

And SHA wasn't designed by experts? :)