[ninjay]

When we do an analysis on something like this we assume the method of encryption is fully known. Otherwise it's called 'security through obscurity'[1]. If this method got popular at all crackers would automatically start checking all hash-like passwords.

I'm also completely ignoring what would happen if that site were compromised. A little javascript snippet could just forward all passwords to the hacker's server. Even a browser extension could be compromised if it auto-updates. These are implementation details though that could be fixed/worked around.

[1]https://en.wikipedia.org/wiki/Security_through_obscurity

[btilly]

That is why the pass phrase is required to have a lot of entropy. Even if you know the algorithm used, you're going to have to guess the pass phrase to verify that. And the pass phrase is harder to guess than most people's passwords are.

Aside from the implementation details that you've raised, I'm not finding as many flaws as I expected in it.

[ninjay]

So put that high entropy pass phrase in Keepass and don't worry about a cracker getting access to all your accounts through a misplaced hash. With all these sites getting attacked you have to assume anything you put in a website is public knowledge.

I mean, using a password safe is no more inconvenient than having to go to a website. When set up, the safe can even be a one click auto-fill deal. I don't see any reason to take the added risk.

[btilly]

I'm not recommending this approach. I'm merely saying that it isn't as trivially broken as one would think.