Generating passwords using Password-Based Key Derivation Function

Question

I was thinking of using different and independent password for different websites, but not storing them in some password manager so I don't need to backup the passwords. I thought I could use some cryptographic technique to do this, and I come up with a script that do the following:

• User input a master password into the script.
• User input a name, or domain - whatsoever, into the script as site name.

• The script use PBKDF2 with HMAC (hashlib.pbkdf2_hmac in Python) to generate a key, using the master password as the password input and site name as salt, 250000 as the number of iterations and 8 bytes as the key length.

  Doing this currently takes around 1 second on my computer.

• The resulting key is treated as a number, and is converted into base 75. Each resulting digit is then mapped to a character using the following array:

  0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz
  

• The script output the resulting string and that string is used as a password for that site.

There's three goal I want to achieve with this script:

1. Given the same master password and same site name, the script should output the same string and it is a good secure password to be used on website.
2. Given only the generated password and site name, it should be impossible for an attacker to compute the master password (At least it should take a long time if the master password is strong).
3. Given only the generated password and site name, it should also be impossible for an attacker to compute password for other site name.

My question is: is this a secure password generator? The master password I used is basically just like a password that this script will output.

My implementation of this can be found here.

Answer 1

Like I wrote in the comment, the method here is pretty similar. The differences:

1. Rather than deriving each site password directly from the password, I recommended deriving a single master secret using a password hash and then deriving the site passwords from that using another KDF.
2. You are truncating the PBKDF2 output to 64 bits.
3. You define the method of turning the hash into a password explicitly.

Regarding the first, using a single master secret allows you to derive it once and then quickly derive multiple site-specific passwords. (It also uses a known-unique salt, which is nice.) This is not necessary, but does mean you can perhaps use more iterations in some cases.

Truncating to 64 bits should be fine, but is not necessary if you can copy-paste a stronger one. (If your password is complex enough brute forcing the 64-bit hash or the derived password will be faster than attacking the master password.)

The last is problematic. As discussed in the comments to the question I linked above, each site has their own requirements on the password so any static algorithm like that is unlikely to work for all. That is not a security issue, however: as long as you do not drop information from the hash further, any method of encoding it as a password will be fine.

---

However I'm not sure about if it is OK to use a such simple salt. Like I once heard that salts should be unpredictable...

No, salts only have to be unique. However, if you ever need to change the site password (e.g. their database is stolen and they require new ones), you may need to add something to the site name. Also, theoretically someone else who used the same method could be using the same salt, allowing a faster attack. (Adding e.g. your email address could solve this.)

---

Other than the downsides I mentioned in the other question (quoted below) there is the question of which password hash to use. PBKDF2 is not exactly the state of the art and using e.g. scrypt might give you a larger advantage over potential adversaries.

If you go this route you are putting all your eggs in one basket. If you forget the master password, you lose all the derived ones. If someone guesses it, they can derive all the others.

You would probably be better off just using a password manager that prevents guessing attacks. Otherwise the master must be very strong. A password manager generates random site passwords that leak no information about the master.