

Show HN: SHA-PASS, a simple secure app for password management - alexbecker
https://play.google.com/store/apps/details?id=com.alexbecker.sha_pass

======
smt88
I may be missing something, but this doesn't seem secure at first glance.

Assume I decompile your app and look at your algorithm. If there are only two
inputs (service name and master password), then I'm only missing the master
password.

If I get a couple (or more) of your passwords, I can probably figure out your
master password, since I know everything else. That could be done via Android
malware or several successful hacks.

All of a sudden, I have a universal key to all of your accounts. That's a
worst-case scenario in terms of security.

The risk is significantly lower if the master password is sufficiently
complex, but not many users use complex passwords.

~~~
alexbecker
"If I get a couple (or more) of your passwords, I can probably figure out your
master password, since I know everything else."

Not really. The algorithm returns a portion of the SHA-256 hash of the
concatenated master password and service. SHA-256 is widely believed to be a
one-way function (see [http://en.wikipedia.org/wiki/One-
way_function](http://en.wikipedia.org/wiki/One-way_function) for details),
meaning that it is essentially computationally impossible to get the inputs
from the hash, or even many millions of related hashes. If such an attack
exists, it represents a major vulnerability to electronic infrastructure
worldwide.

If you want to give it a shot, the first screenshot uses my actual master
password (which I've been using for years). The password generated for "app
store" is "35463F2465b%". I'll probably put the source for the program on
github.com/alexbecker tomorrow.

Granted, if the master password is sufficiently simple to guess the app is not
secure. But that's unavoidable; the entire point of having a single password
is that you can afford to make it secure.

