3 comments

[ 2.5 ms ] story [ 26.2 ms ] thread
This relies on security by obscurity in keeping one compromised password from being used to access the other sites. An attacker who knows of the procedure can trivially detect passwords probably using it and substitute the domain identifier.

A modification that doesn't have this problem and keeps passwords retrievable using a single master password, but does require using a helper program, would be to take a cryptographic hash from the concatenation (master_password^site_id) and deterministically generate the desired password from the hash value.

Quick Python example:

"".join([chr(((ord(x)-33)%94)+33) for x in hashlib.sha256("hunter2"+"facebook").digest()[:8]])

True. In fact I have a partially complete firefox plugin that does almost exactly that. Problem is you need a bit of software installed which not very portable.

The technique in my post offers much better protection then most people are currently getting.

I've always found pwgen to provide usefully memorable passwords. Just have to run it a few times and find one I like.