
Show HN: MasterPassX, deterministic stateless password generator - CraftThatBlock
https://medium.com/@cretezy/masterpassx-a-better-stateless-password-generator-a06b93b9aa8c
======
bradknowles
Once they capture your master password, it’s game over.

How can you be sure your master password is being kept secure?

And what happens on those sites where the stateless generated password isn’t
accepted by the remote end? Or you are required to change your password after
a while and you can’t re-use any old passwords?

~~~
CraftThatBlock
I'm going to be adding a better form input to highly recommended users to use
good passwords.

Since it doesn't store the master password (just the key derived from it),
that is the true "game over" but would require trying the whole 2^256 space
with HMAC-SHA256 to brute force the key.

If they try to brute force the actual mastet password, it would be extremely
slow since it uses scrypt with a high n, which runs at 2 hash/sec on a good
desktop (probably could be a lot higher using dedicated hardware, but still
very very low compared to SHA256 which stands at millions of hash/sec).

I don't understand your last point, can you rephrase it?

