Very simple password generation scheme; is this secure?

Edit/clarification: I mean password generation as in "deterministically generate passwords for your own use (e.g. to sign up for web services), based on some secret and on some site-specific data"

I take the MD5 digest of the concatenation of my master password and a (non-secret) site-specific string. Then I take the first 16 digits of the hex representation.

The advantages of such a simplistic scheme are:

• Usable anywhere where MD5 is available
• Don't have to trust a firefox extension or whatever t开发者_开发技巧o generate the password for you

Does this have any hidden vulnerabilities? Obviously, if the master is compromised, I'm out of luck.

(Side note: Of course using hex digits is suboptimal entropy per character, but who cares if the password is longer to make up for it?)

#!/bin/bash

master=myMasterPassword
echo "$master$1" | md5sum | head -c16

There are already systems that use this, such as SuperGenPass. In general, assuming your hash function is secure against preimage attacks (for which purpose I would suggest using something other than MD5), you're probably okay.

There is, however, a better construct for this purpose: The HMAC. It's constructed from a regular hash function, but has proofs of its security against various attacks, even limited preimage attacks. There's also a section in the RFC explicitly dealing with using a truncated HMAC.

Who are you defending against? What is the effect of the compromise? How do you defend your masterPassword, espically if it is entered in this script.

If the machine you have used is comprimosed or examined expect all your passwords to be exposed. Through command line history, your bash script, memory paged to disk. What make this worse is you talk about portability so you will use this on many machines some of which are not trustworthy. If someone uses this machine after you and catches on to waht you are doing they will not only get the passwords you have used on this machine but all passwords you have generated ever.

Another limitation of this is site which have rules on password composition. Mixxed upper and lowwer case letter, require the use of puncuation, minimum number of digits or letter which you MD5 for that particular site does not have. Also some site have a maximum length of password, my banking site has a maximum password length of 8, with using only 16 posible charecters you have greatly reduced the posible number of passwords.

This seems fine to me for low security sites, where the effect of a compromise is not bad. I would not trust this for my banking site access or my access to my work sites. Things I care about.

I would trust it for my slashdot, facebook, flickr, etc passwords

The solution I use is Password safe which is recommended by people I trust I email my password database around and install the client on each machine I use.

People have thought hard about how to protect passwords and password safe is one solution.

The script itself is a vulnerability as it has your master password in plaintext in it - preferably store the 'site specific string' in the script and always give the password as user input, also-use some ask password program, not command parameter to read the input - your command line gets stored to .bash_history

Also, please note that 16 characters of MD5 has only 64 bits of entropy - for example uuencode can provide much stronger 16 character passwords.

Well, your algorithm relies on a secret - namely your master password, so why not just make the secret the phrase 'the site name with my DOB appended to it'. Just as secure, and no need to store the algorithm anywhere but your head. As long as you dont write your passwords down anywhere its unlikely anyone will guess your 'secret'