Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I have a small script that does hash(key + masterPasswd). key is usually just the site's domain name. I have the script and a few of the important passwords (eg my email) written down on paper in case my drive dies. It works fine for me.


You just exposed all your passwords to bruteforcing attacks. Unless “hash” in this case is something like scrypt with sane parameters.

Originally (before I started writing my own password manager) I also thought that this is a safe method of password generation. And then I realized that it isn’t. Wrote about it here: https://palant.info/2016/04/20/security-considerations-for-p...


Assuming you have the password and key, you'd need to brute force hash and masterPasswd. Seems hard.


It isn’t. You certainly used MD5, SHA1, SHA256 or SHA512 as hash, with SHA256 being the most likely one. All of these are very easy to bruteforce – if someone has one of your passwords, bruteforcing your master password won’t take all too long.


hash(x+const), hash^n(x), etc. are also hash functions.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: