tags:

views:

54

answers:

2
Q: 

SHA-256 password generator

i saw a javascript implementation of sha-256. i waana ask if it is safe (pros/cons wathever) to use sha-256 (using javascript implementation or maybe python standard modules) alogrithm as a password generator:

i remember one password, put it in followed(etc) by the website address and use the generated text as the password for that website. repeat process every time i need password same for other websites

A: 

SHA-256 generates very long strings. You're better off using random.choice() with a string a fixed number of times.

Ignacio Vazquez-Abrams  2010-10-20 02:04:04
But then he needs to write down the generated random password for every site.
Thilo  2010-10-20 02:14:14
@Thilo: It's a lot easier to write down a 10-character password than a 64-character password.
Ignacio Vazquez-Abrams  2010-10-20 02:16:08
He does not need to write down the SHA-1 output for every site, he just has to remember the master password for all sites. Of course, he could use a password-protected file to store all the random passwords to get the same effect (unless you loses the file).
Thilo  2010-10-20 02:22:22
@Thilo: I see nothing about him writing a password *manager*, just a password generator.
Ignacio Vazquez-Abrams  2010-10-20 02:25:21
Exactly. The password generator he describes does not need a password manager. Using random passwords requires a password manager (but is more secure, at least as long as the manager is secure).
Thilo  2010-10-20 02:26:52
+1  A: 

I think you are describing the approach used by SuperGenPass:

Take a master password (same for every site), concatenate it with the site's domain name, and then hash the thing.

Yes, SHA-256 would be secure for that, likely more secure than when SuperGenPass uses. However, you will end up with very long passwords, too long for many sites to accept, and also not guaranteed to contain numbers and letters and special characters at the same time, which some sites require.

Also, the general problem remains that if somehow (not by breaking the algorithm, but by other means) your master password does get leaked, all your passwords are belong to us.

Completely random passwords are most secure (if we ignore the problem of storing them securely somewhere).

Thilo  2010-10-20 02:09:14

related questions

Programmatically talking to a Serial Port in OS X or Linux
Best ways to teach a beginner to program?
Calling a Function From a String With the Function's Name in Python
An executable Python app
Text Editor For Linux (Besides Vi)?
What Hosting Service is best for Django applications?
File size differences after copying a file to a server vía FTP
Python: what is the difference between (1,2,3) and [1,2,3], and when should I use each?
Python: What OS am I running on?
How do I make a menu in python that does not require the user to press (enter) to make a selection?
How do you express binary literals in Python?
What is the most efficient graph data structure in Python?
Adding a Method to an Existing Object
How to learn Python: Good Example Code?
How do I use Python's itertools.groupby()?
Python and MySQL
Class views in Django
Is there an IDE that provides code completion for Python
Using 'in' to match an attribute of Python objects in an array
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Continuous Integration System for a Python Codebase
Get a preview jpeg of a pdf on windows?
How can I find the full path to a font from its display name on a Mac?
XML Processing in Python