So, in my imagination there is this simple algorithm with only one master password, let's say a prime number 'p', which I have to remember. Using only the address of the website and p, the algorithm must generate a unique password. It must be at least almost impossible to guess the value of p even if you know the algorithm. Also impossible to guess the password of website B if you know the password of website A and the algorithm. The reason why I need this algorithm: I'd have different passwords and would have to remember only one number. There's also the matter of having multiple accounts on the same website but I think it will be easy to modify the algorithm. I think it will be useful for many users.
Asked
Active
Viewed 842 times
1 Answers
5
The problem is almost exactly the same as in password based key derivation, so you could use a similar solution.
- Derive a master secret from your password and a unique salt using e.g. PBKDF2 or scrypt: $S_m = PBKDF(p, s)$.
- Derive a site-specific secret from the master using e.g. HKDF and the site URL: $S_u = HKDF(S_m, u)$.
- Turn the site secret into a usable password, e.g. by encoding in base 64.
If you go this route you are putting all your eggs in one basket. If you forget the master password, you lose all the derived ones. If someone guesses it, they can derive all the others.
You would probably be better off just using a password manager that prevents guessing attacks. Otherwise the master must be very strong. A password manager generates random site passwords that leak no information about the master.
otus
- 32,462
- 5
- 75
- 167