| There are many of this type of hash function based generators, but pretty much all use fast hash functions. The no salt thing also makes me uneasy. From another Ask HN[0], I learned about bpasswd[1] which does bcrypt and allows the cost (iterations) to be configured. That looks pretty cool. For me, I chose to go with a hybrid approach and wrote hash0[2] for my less important passwords (important ones live in KeePass). Hash0 does 100,000 iterations of PBKDF2 with salt from CSPRNG unique for each site. It stores the encrypted metadata (just the salt, length, symbol/no symbol, etc) at a location of your choosing (I just store it in my Google App Engine). Would love to get more eyes on it and get feedback (See services.js for generation logic). Benefits of hybrid are that: - Allows me to use random salt
- Allows me to easily change password for individual sites (thanks for random salt)
- Allows me to store website's preferred password length and whether to use symbols or not
- Allows me to create mappings (so say www.twitter.com and account.twitter.com can use the same password)
- Allows me to store notes along with the metadata (e.g. what username I used)
[0]: https://news.ycombinator.com/item?id=8753534[1]: http://www.alexhornung.com/code/bpasswd/ [2]: https://github.com/dannysu/hash0 |