[Osmium]

> Regarding "quick hash" or "slow bcrypt" - it doesn't matter here. Bcrypt complexity is to prevent obtaining real password from it's hash. Here we're dealing with real passwords but not hashes.

It does matter. If a website knows that you use SuperGenPass, they can conceivably guess your master password if it's weak as a direct result of SuperGenPass using a fast hash function to generate the site-specific password.

In a scheme like this, the "real password" is the output of a hash function (albeit munged a little bit), so choice of hash function is important. I'm not a cryptographer, but really a key-derivation function seems like it would be a lot more appropriate here than a simple hash like MD5.

[schmooser]

Still don't get it. Knowing that I use SGP gives attacker nothing. On each guess of master password attacker has to generate pass (quick, using hash) and then GO to website and try to login. And this is very slow compared to hash generation using bcrypt, SHA1 or even md5.

[Freaky]

That's assuming every website you use with one of these passwords is secure. In practice sites get hacked, fail to enforce HTTPS, databases get leaked, etc.

[Osmium]

> In practice sites get hacked, fail to enforce HTTPS, databases get leaked, etc.

Exactly. The threat here is that a single SuperGenPass-generated site-specific is leaked somehow (if you use it for a lot of sites, one of them is bound to be storing a password in plaintext, or not using https, or whatever–or, for all I know, the OP is such an important target maybe someone specifically sets up a website to capture a sample site-specific password). Then, using that site-specific password, a determined attacker might be able to recover your master password and then be able to login to all the other websites you use SuperGenPass with. That's the danger of using a 'fast' hash function to generate your site-specific password.

[schmooser]

Ok, I finally get your point, thanks for detailed explanation.