

Ask HN: Is derivating passwords from a master key and service name a good idea? - ninov

Hi,
I had an idea about generating passwords for different services (e.g. Hacker News, Facebook, Twitter, ...) by using a cryptographic hash of a master key chosen by each person and the services name, like this (python):<p><pre><code>  import hashlib
  import base64
  
  def password(masterkey, service):
      h = hashlib.sha256() # probably could use hashlib.hmac?
      h.update(bytearray(masterkey, &quot;utf-8&quot;))
      h.update(bytearray(service, &quot;utf-8&quot;))
      return base64.b85encode(h.digest()).decode(&quot;utf-8&quot;) # With Base85 and SHA256 we&#x27;ll get passwords of 40 characters including numbers, letters and some special chars
  
  key = &quot;&amp;T{TEeN_\q9+-L9_&quot;
  
  print(password(key, &quot;hackernews&quot;))  # &quot;kLh4WhHTC^M*$uko=plAViC{J;%WJ)9`jlo&amp;-`cS&quot; will be used as my HN password
  print(password(key, &quot;facebook&quot;))    # &quot;0B+37p0n@JKP)b&gt;nz}yfJ%#Qy*^d+gsQRwF08S}Q&quot; will be used as my facebook password
  print(password(key, &quot;twitter&quot;))     # &quot;SeR$P!-Z_z%%J5NI0qtO@5Y#$`K-d*7glNC%w=EQ&quot; will be used as my twitter password
</code></pre>
One would only have to remember his master key and then could derivate all of his passwords from this and use a similar app on his smartphone or other devices.
So it has the simplicity of using one password for all services, but it&#x27;s way more secure, because when someone knows my password for that service he doesn&#x27;t know it for any other services. It&#x27;s probably not as secure as using a password manager with independently random generated passwords, but you have to maintain its database, sync it with other devices and so on...<p>As I didn&#x27;t find any program which does this and as this isn&#x27;t really complicated, there must be a serious downside I didn&#x27;t notice.
(Or not, and I just didn&#x27;t google well enough or I&#x27;m really the first one to think about this)<p>So, to all cryptography nerds on HN: Is there something stupid about this I&#x27;m not seeing?
======
tritlo
I'm in no way qualified to answer this, but this is probably good enough for
most personal use.

