|
|
|
|
Ask HN: Is derivating passwords from a master key and service name a good idea?
|
|
1 points
by ninov
4179 days ago
|
|
|
Hi,
I had an idea about generating passwords for different services (e.g. Hacker News, Facebook, Twitter, ...) by using a cryptographic hash of a master key chosen by each person and the services name, like this (python): import hashlib
import base64
def password(masterkey, service):
h = hashlib.sha256() # probably could use hashlib.hmac?
h.update(bytearray(masterkey, "utf-8"))
h.update(bytearray(service, "utf-8"))
return base64.b85encode(h.digest()).decode("utf-8") # With Base85 and SHA256 we'll get passwords of 40 characters including numbers, letters and some special chars
key = "&T{TEeN_\q9+-L9_"
print(password(key, "hackernews")) # "kLh4WhHTC^M*$uko=plAViC{J;%WJ)9`jlo&-`cS" will be used as my HN password
print(password(key, "facebook")) # "0B+37p0n@JKP)b>nz}yfJ%#Qy*^d+gsQRwF08S}Q" will be used as my facebook password
print(password(key, "twitter")) # "SeR$P!-Z_z%%J5NI0qtO@5Y#$`K-d*7glNC%w=EQ" will be used as my twitter password
One would only have to remember his master key and then could derivate all of his passwords from this and use a similar app on his smartphone or other devices.
So it has the simplicity of using one password for all services, but it's way more secure, because when someone knows my password for that service he doesn't know it for any other services. It's probably not as secure as using a password manager with independently random generated passwords, but you have to maintain its database, sync it with other devices and so on...As I didn't find any program which does this and as this isn't really complicated, there must be a serious downside I didn't notice.
(Or not, and I just didn't google well enough or I'm really the first one to think about this) So, to all cryptography nerds on HN: Is there something stupid about this I'm not seeing? |
|
|