Hacker News new | past | comments | ask | show | jobs | submit login

Wouldn't combining the "master_password", "domain" and your username/email save you from worrying about the "n" variable?

You are using "n" to differentiate from multiple accounts on "domain", right?.. or am I misunderstanding?




No, I'm using 'n' to deal with websites that periodically require you to change password and enforce that you use a new password

I suppose I could also do it as master_password + '/' + domain + str(n) or something like that.


Ahh, ok then how about using the DateTime at runtime? That would then save you from having to keep "n" stored elsewhere for future uses.

Edit: nevermind, this would prevent you from retrieving the password - I had in mind a password generator, sorry.


By the way it's generally not a good idea to use dates in password generation or for random seeds. An attacker who has any information about the approximate time you generated the password (e.g. minutes before registering for a site) would be able to iterate over those several thousand seconds.

For consumer use cases, you should use sources of noise for this, such as microphone noise, mouse movements, fluctuating voltages, etc. If you wanted to be super-secure you would use a quantum random number generator, which is truly random, but unnecessary for the threat models of most consumer uses. Just use anything but date/time. The random number generators of most modern languages and operating systems already have such measures in place.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: