Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I'm hashing my passwords. For example, when logging into any google service, I use:

    echo "secret123|google" | sha1sum
where "secret123" is my master password (I use a much longer one actually to be safe). Similarly, on facebook, I woudl use:

    echo "secret123|facebook" | sha1sum
To both passwords, I add "Aa1!" to make it pass the capital/lowercase etc. tests.

EDIT: it is best to write a script for this



Somebody has told me, that this would be bad because "something" (I think entropy?). I didn't understand that.

Can somebody with sense please explain if this is a good or bad idea?


It's not a terrible idea, but it does fall apart if you need to change one of the passwords (say, because you were using this strategy for a number of services including gotomypc). Now you need to have multiple master passwords, or you need to increment the service name (gotomypc2?), and then you're remembering the increment as well as the service and master password.

It's a cute trick, but I don't think it really scales well for the number of accounts we tend to have these days, and the frequency with which passwords must be changed due to hacks, password aging policies, validation ("must have 1 punctuation character"), etc.

As for entropy, it's limited by the master password, and whatever obscurity the hashing and service name provide. If you have a short master password, you're not getting the as much uniqueness as you might think by looking at the length of the hash output.


It's a good idea if you're using a secure secret or if an attacker doesn't know your exact method.


I do something similar but I'm not happy about it at all. But I'm also afraid of password managers themselves becoming compromised.


I do this too, but with bcrypt instead of sha1.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: