Score:0

DIY: password key derivation tool using PBKDF2 / HMAC

ru flag

First of all, I don't want to reinvent the wheel, just want to build my own car. Non-product environment; only for fun and entertainment.

The goal is to use a single private (and never published) master password to create unique passwords (token) for each website account (twitter.com, reddit.com, etc.)

Is the following approach consistent with these goals?

Code:

HOST_HASH = SHA512( LOGIN + SERVER )

USER_HASH = SHA512( USER_NAME + HOST_HASH )

PWD_HASH = SHA512( USER_PASSWORD )

KEY = PBKDF2_SHA256( USER_HASH, PWD_HASH, ITERATIONS_300000, LENGTH_512BITS )

DIGEST = HMAC_SHA512( HOST_HASH, KEY )

TOKEN = BASE64( SHA1(DIGEST) ) #-- just for convenient output

Inputs:

  • USER_NAME = user full name (ie: Jones Smith)
  • USER_PASSWORD = user secret master password (or passphrase)
  • LOGIN = user alias or e-mail or what ever used to log in (ie: jsmith123)
  • SERVER = web site or domain name (ie: stackoverflow.com)

Output:

  • TOKEN = strong and unique password easy to rebuild but hard to guess (?)
kelalaka avatar
in flag
What is your aim instead of generating a uniform random password?
swannty avatar
ru flag
@kelalaka – remember only one good master password, but have a different password for each website that derives from the master password
Score:1
kr flag

You use hashes of hashes. In your scheme it is secure. See details here.

You use PBKDF2 and thus you protect derived passwords from brute-forcing.

But your approach can lead to usability problems. Suppose you have 100 - 200 accounts for websites, email services, social networks, video/audio services, webshops, banks, etc. Think of the following cases:

  • One website requires you to change your password once a year, the other requires that every 3 months.
  • One website keeps passwords in plain form. Their password database was compromised. They require you to change your passwords within 3 days.
  • Mistakenly, you used a password for another website. After several attempts, your account was locked. After unlocking you are asked to provide a new password.

To change the password for one website, you will have to change your base password. This will change derived passwords for all other websites. That's why you will have to go to every single website and change your password.

  • This can take a lot of time.
  • You can forget some websites, because since you derive passwords automatically, maybe you don't keep the list. Later on, you will be surprised that such forgotten sites don't accept the password.
  • Some websites can be unavailable at the moment you want to change your password. Or you just don't have time to change the password for all websites at once and do that in blocks, 10 sites today, 10 sites tomorrow, etc. Later on, you will be not sure where have you already changed the password and thus what base password for what website you should use.

You decide if this is acceptable for you.

But if you use some password manager, you will get reliably protected passwords, e.g. KeePass encrypts with AES-256 and use uses a configurable number of iterations for password derivation, you still need to remember a single good password like a dicewire based, but the advantage is, that all your passwords for different resources remain independent on each other and you will not have any usability problems mentioned above.

swannty avatar
ru flag
Yes, changing and renewing passwords could be a problem in the long run. I will think about that issue. KeePass is good but passwords are stored (even if encrypted) somewhere in a file or a database. I'm looking for something more "dematerialized". Thank you very much for your answer.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.