1 comment

[ 2.7 ms ] story [ 14.6 ms ] thread
This appears to be using the passphrase as an hmac key directly, with the URL.hostname as the value.

Unless the user memorizes a proper randomly generated key, this is going to be brute-forcable based on a single website’s generated password, which would then allow all other websites to be accessed.

Also, if a website ever changes its domain name, you’re going to have trouble.

This appears to be a weekend project, and I don’t want to be overly negative, but do not use this as-is. This is more than dead-simple: this is deadly simple.