All geek questions in one place

Very simple password generation scheme; it is safe?

Change / clarify: I mean the generation of passwords, as “deterministically generate passwords for your own use (for example, to register in web services), based on some kind of secret and some data for a particular site”

I take the MD5 digest of concatenation of my main password and (unclassified) string for the site. Then I take the first 16 digits of the hexadecimal representation.

The advantages of such a simplified scheme:

  • Used wherever MD5 is available.
  • No need to trust the firefox extension or what it takes to create a password for you.

Does this have hidden vulnerabilities? Obviously, if the master is compromised, I’m out of luck.

(Side note: Of course, using six-digit numbers is a sub-optimal entropy for each character, but who cares if the password is larger to compensate for this?)

#! / bin / bash

master = myMasterPassword
echo "$ master $ 1" | md5sum | head -c16
+3
source share
4 answers

Systems already exist that use this, such as SuperGenPass . In the general case, if your hash function is protected from attacks with the inverse image (for which I would suggest using something other than MD5), you are probably fine.

: HMAC. -, , . RFC, HMAC.

+2

? ? masterPassword, script.

, . , bash script, . , , , . - , , , , - .

, . Mixxed, , , MD5 . , 8, 16 .

, . . , .

slashdot, facebook, flickr ..

, , . .

, , .

+1

script , - " " script , , - .bash_history

, , 16 MD5 64 - , uuencode 16 .

0

Well, your algorithm relies on a secret, namely your master password, so why not just make a secret that the phrase "the site name with my DOB is added to it." It is just as safe and no need to store the algorithm anywhere except your head. Until you write down your passwords anywhere, hardly anyone will guess your "secret"

-2
source

Source: https://habr.com/ru/post/1729212/

More articles:


All Articles